https://wiki.itcollege.ee/api.php?action=feedcontributions&feedformat=atom&user=MavaldICO wiki - User contributions [en]2026-05-05T06:51:39ZUser contributionsMediaWiki 1.45.1https://wiki.itcollege.ee/index.php?title=Hiring_a_Cyber_Security_Incident_Analyst&diff=142306Hiring a Cyber Security Incident Analyst2022-05-01T16:59:20Z<p>Mavald: </p>
<hr />
<div>==A Cyber Security Incident Analyst==<br />
<br />
[[File:image1.png|600px|thumb|Job advertisement <ref>"Job Advertisement". Available at https://www.projectpeople.com/jobs/</ref>]]<br />
===Cyber security incident analyst in SOC/CSIRT/CERT===<br />
This article delves into the job title of Cyber Security Incident<br />
Analyst and provides an overview of the acronyms SOC/CSIRT/CERT. A brief<br />
history of the job is discussed here, as well as a possible career path,<br />
education, experience, and other characteristics required for work in<br />
computer security-related organizations. The article also provides a<br />
brief history of SOC/CSIRT/CERT, as well as a comparison of their<br />
differences and similarities.<br />
===Cyber Security Incident Analyst Skill Set===<br />
What skill set is expected from the Cyber Security Incident Analyst? Below written lines are taken from the same job advertisement depicted<br />
on the left side of this article:<br />
As a Security Incident Analyst your responsibilities will include:<br />
<ul><br />
<li>Continuous monitoring of security tooling</li><br />
<li>Performing regular and ad-hoc vulnerability assessments</li><br />
<li>Carrying out ‘spot checks’</li><br />
<li>Reporting vulnerabilities to the PVG via the alerts system</li><br />
<li>Maintaining and documenting logging systems</li><br />
<li>Developing centralized logging, reporting and intelligence<br />
platforms</li><br />
<li>‘Light touch’ penetration testing with open source tooling<br />
(Metasploit)</li><br />
</ul><br />
Knowledge &amp; Experience required:<br />
<ul><br />
<li>SOC, CSIRT or CERT operational environment experience</li><br />
<li>Windows / Linux experience</li><br />
<li>TCP /IP networking protocol knowledge</li><br />
<li>Experience reviewing and analyzing Security Events from various<br />
monitoring and logging sources</li><br />
<li>Experience in website and web application security assessment or<br />
penetration testing</li><br />
<li>Experience of using Metasploit</li><br />
<li>Scripting knowledge using BASH, Python, Perl, Ruby</li><br />
<li>Skills in Host and Network Forensics</li><br />
</ul><br />
As one can see the description of the duties is wide and also the<br />
knowledge and experience that is required is noteworthy. So, where to<br />
start to find out the way to get this kind of knowledge and<br />
expertize.<br />
===Possible career path===<br />
Next part of the paper is aiming to depict a possible ways, how to<br />
develop oneself, and move along the career pathway in cybersecurity<br />
field. Topics of development, education, experience and certification<br />
are covered.<br />
[[File:analystimage2.png|1000px|thumb|Career path <ref>"Possible Career Path". Available at https://www.cyberseek.org/pathway.html</ref>]]<br />
<br />
===Junior/Senior===<br />
Start with an entry-level job in IT. Hands-on experience is often the<br />
most effective way to prepare for certification exams. Start<br />
accumulating work experience with an entry-level role as a cybersecurity<br />
analyst. Many cybersecurity professionals start off in more general IT<br />
roles. The skills, practices, and technologies you’ll use as a<br />
cybersecurity professional will continue to evolve along with computer<br />
and network technology. The desire to learn, ability to problem solve,<br />
and attention to detail will serve you well in this field. Other, more<br />
technical skills and technologies to learn include:<ref name="certification">Popular Cyber Security Certificates [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications [Accessed 25 April 2022].</ref><br />
<br />
====SIEM tools (security information and event management)====<br />
Security Information and Event Management (SIEM) is a set of tools<br />
and services offering a holistic view of an organization’s information<br />
security. SIEM works by combining two technologies:<br />
<li>Security information management (SIM), which collects data from log<br />
files for analysis and reports on security threats and events, and</li><br />
<li>security event management (SEM), which conducts real-time system<br />
monitoring, notifies network admins about important issues and<br />
establishes correlations between security events. There are a number of<br />
security information and event management solutions on the market.<br />
ArcSight ESM, IBM QRadar and Splunk are among the most popular. <ref name="SIEM">Application security, SIEM [Online]. Available: https://www.imperva.com/learn/application-security/siem/. [Accessed 27 4 2022].</ref></li><br />
<br />
====Firewalls, Intrusion Detection Systems (IDS), and Intrusion Prevention Systems(IPS)====<br />
Firewalls can be two types, hardware and software firewalls. Software<br />
firewall is a firewall that is installed on a computer or server, and<br />
tasked with network security. It works with a wide variety of other<br />
technology security solutions to provide more robust and cohesive<br />
security for enterprises of all sizes. When a software firewall is<br />
installed on a server, it opens up like an umbrella of protection over<br />
all other computers connected to the network. It is able to monitor both<br />
incoming and outgoing traffic for potential risk or suspicious user<br />
behavior, and also makes setting security policies much easier, faster<br />
and more flexible. Hardware firewall is positioned between the network<br />
and devices, allowing traffic to funnel through the firewall for a close<br />
inspection and analysis. A hardware firewall, a term often<br />
interchangeable with network or next-generation firewall, protects the<br />
network gateways for an enterprise. Hardware firewall is physical<br />
hardware, installed between network elements and connected devices, and<br />
is tasked with filtering traffic for cyber threat to the network or<br />
devices. Filtering out unauthorized or suspicious users based on traffic<br />
analysis is one of the biggest benefits of hardware firewall. <ref name="sangfor">Sangfor, "What is Software Firewall? Difference between Hardware Firewall and Software Firewall, [Online]. Available: https://www.sangfor.com/blog/cybersecurity/what-is-software-firewall-difference-between-hardware-firewall-and-software-firewall [Accessed 26 4 2022].</ref><br />
<br />
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems<br />
(IPS) are both parts of the network infrastructure. IDS/IPS compare<br />
network packets to a cyberthreat database containing known signatures of<br />
cyberattacks — and flag any matching packets. IDS doesn’t alter the<br />
network packets in any way, whereas IPS prevents the packet from<br />
delivery based on the contents of the packet, much like how a firewall<br />
prevents traffic by IP address. <ref name="Varonis">Varonis, "What is Software Firewall? IDS vs. IPS: What is the Difference?, [Online]. Available: https://www.varonis.com/blog/ids-vs-ips [Accessed 26 4 2022].</ref><br />
<br />
====Digital forensics====<br />
Digital forensics is a branch of forensic science that focuses on<br />
identifying, acquiring, processing, analyzing, and reporting on data<br />
stored electronically. Electronic evidence is a component of almost all<br />
criminal activities and digital forensics support is crucial for law<br />
enforcement investigations. Electronic evidence can be collected from a<br />
wide array of sources, such as computers, smartphones, remote storage,<br />
unmanned aerial systems, shipborne equipment, and more.<ref name="interpol">Interpol, "Digital forensics". Available: https://www.interpol.int/How-we-work/Innovation/Digital-forensics. [Accessed 28 4 2022].</ref> <br />
Investigative process of digital forensics can be divided into several stages. There are four major stages: preservation, collection,<br />
examination, and analysis. All these four stages need a deep understanding of computers, technology across a broad spectrum, and cybersecurity principles and<br />
practices, a working knowledge of computers, networks, and coding, in-depth investigative abilities, critical-thinking skills and analytical talent the ability to effectively communicate and work with a<br />
wide range of people. <ref name="ecpi1">"Digital forensics". Available: https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me. [Accessed 26 4 2022].</ref><br />
<br />
====Mobile device management====<br />
Mobile device management (MDM) is software that allows IT<br />
administrators to control, secure and enforce policies on smartphones,<br />
tablets and other endpoints. Mobile device management software emerged<br />
in the early 2000s as a way to control and secure the personal digital<br />
assistants and smartphones that business workers began to use. The<br />
consumer smartphone boom that started with the launch of the Apple<br />
iPhone in 2007 led to the bring your own device (BYOD) trend, which<br />
fueled further interest in MDM.<ref name="techtarget">Techtarget, "Mobile Device Management". Available: https://www.techtarget.com/searchmobilecomputing/definition/mobile-device-management [Accessed 27 4 2022].</ref><br />
<br />
====Data management====<br />
Sometimes the data management is neglected, but this part has a<br />
crucial role when learning for good cyber security practices. Majority<br />
of cyber security programs include a special courses on data management.<br />
Data management is a method of organizing and maintaining data processes<br />
that are required in almost every business operations. The benefits of<br />
data management can be found accounting, statistics, logistics planning<br />
and other disciplines including corporate computing.<ref name="GlobalUni">Global Universities, "MSc Data Management and Cyber Security". Available: https://globaluniversities.in/msc-data-management-cyber-security. [Accessed 26 Apr 2022].</ref><br />
Data governance (and management) play a fundamental role in<br />
protecting an organization’s data. Ensuring that the right people have<br />
the right access and that appropriate security controls are in place to<br />
protect each system or service, based on the criticality or sensitivity<br />
of the data sets these contain. <ref name="CyberMagazine">Cyber Security Magazine, "The Role of Data Governance in Cybersecurity". Available: https://cybersecurity-magazine.com/the-role-of-data-governance-in-cybersecurity/?utm_source=rss&amp;utm_medium=rss&amp;utm_campaign=the-role-of-data-governance-in-cybersecurity. [Accessed 26 Apr 2022].</ref><br />
<br />
====Application security development====<br />
Application security describes security measures at the application<br />
level that aim to prevent data or code within the app from being stolen<br />
or hijacked. It encompasses the security considerations that happen<br />
during application development and design, but it also involves systems<br />
and approaches to protect apps after they get deployed. Application<br />
security may include hardware, software, and procedures that identify or<br />
minimize security vulnerabilities.<ref name="vmware">VmWare, "What is application security?". Available: https://www.vmware.com/topics/glossary/content/application-security.html [Accessed 28 April 2022].</ref><br />
Application security development is important to ensure that your<br />
application is free from coding errors and bugs. And controls the risk<br />
and helps safeguard against security vulnerabilities. Application<br />
security development is the process of making applications more secure<br />
by finding and fixing security vulnerabilities. This is often done by<br />
enforcing software security best practices and using application<br />
security testing tools. <br />
<ref name="perforce">Perforce, "Application Security Development Best Practices". Available: https://www.perforce.com/blog/kw/application-security-development-best-practices. [Accessed 28 April 2022].</ref><br />
<br />
====Audit and compliance knowledge====<br />
A cyber security audit is designed to be a comprehensive review and<br />
analysis of your business’s IT infrastructure. It identifies threats and<br />
vulnerabilities, exposing weaknesses and high-risk practices.<br />
Regulations such as the EU GDPR (General Data Protection Regulation) can<br />
impose hefty penalties in the event of a breach that results in<br />
exploited data. A cyber security audit will help mitigate the<br />
consequences of a breach and demonstrate that your organization has<br />
taken the necessary steps to protect client and company data. <ref name="cyforsecure">Cyfor Secure, "What is a Cyber Security Audit and how can it help your organisation?". Available: https://cyforsecure.co.uk/services/cyber-assessment/cyber-security-audit/. [Accessed 28 April 2022].</ref><br />
<br />
Cybersecurity compliance is the organizational risk management method<br />
aligned with pre-defined security measures &amp; controls on how data<br />
confidentiality is ensured by its administrative procedures.<ref name="nordlayer">NordLayer, "Cybersecurity compliance: Everything you need to know". Available: https://nordlayer.com/blog/cybersecurity-compliance-everything-you-need-to-know/. [Accessed 28 April 2022].</ref><br />
All needed skills are developed through courses and certification.<br />
<br />
===Entry-Level Incident Response Positions===<br />
It is not always possible to advance to the position of incident<br />
responder in a straight line. Many professionals advance from entry- to<br />
mid-level positions before becoming a real incident responder or a<br />
member of a computer emergency response team (CERT).<br /><br />
These are some examples: <ref name="Infosec">Infosec, "Incident Responder Career Roadmap: From Entry Level to Executive". Available: https://resources.infosecinstitute.com/topic/incident-responder-career-roadmap-entry-level-executive/ [Accessed 28 April 2022].</ref></p><br />
<ul><br />
<li><h5 id="network-administrator">Network administrator</h5><br />
<p>This position’s experience will help potential incident responders<br />
develop networking skills. Attention to detail, as well as the ability<br />
to sift through system configurations, site layouts, and general network<br />
and communication setups, are essential in this field.</p></li><br />
<li><h5 id="system-administrator">System administrator</h5><br />
<p>Another crucial beginning point for an incident responder is to learn<br />
how to manage resources inside your organization as well as user<br />
behavior. Understanding the potential damage that users, inadequate<br />
security setups, and ineffective IT policies and procedures can cause on<br />
your network can provide prospective candidates with insight into the<br />
human component of an incident.</p></li><br />
<li><h5 id="security-administrator">Security administrator</h5><br />
<p>In such a position, basic hacking skills, penetration testing, and<br />
intrusion detection are all learned, which are crucial incident<br />
responder skills when trying to replicate a breach or attack.<br />
Understanding the paths a cybercriminal will take when attempting to<br />
damage or obtain access to a system can greatly simplify the work of<br />
reverse engineering the incident.</p></li><br />
</ul><br />
<br />
=== Mid-Level Incident Response Positions ===<br />
<ul><br />
<li><h5<br />
id="computer-security-incident-response-team-csirt-engineer">Computer<br />
security incident response team (CSIRT) engineer</h5></li><br />
<li><h5 id="cyber-incident-responder">Cyber incident responder</h5></li><br />
<li><h5 id="incident-response-engineer">Incident response<br />
engineer</h5></li><br />
</ul><br />
<p>While each of these positions is different, they generally require<br />
very similar skills and characteristics in a candidate. At this level,<br />
personal characteristics such as problem solving, time management, and<br />
even presentation skills become more crucial as one’s career evolves<br />
into a management-facing role.</p><br />
<p>Technical skills include the ability to identify and minimize threats<br />
while maintaining communication with management and the rest of your<br />
team. Data analysis and evidence gathering become increasingly crucial,<br />
and the circumstances in which your services are deployed get more<br />
serious.</p><br />
Problem-solving skills are crucial at this level of incident<br />
response, and as the stakes rise, so does the pressure in each<br />
situation. At this level, programming abilities are essential since<br />
incident responders may be needed to reverse engineer malicious code or<br />
even create patches for vulnerable network applications or services. <ref name="coursera">Coursera, "10 Popular Cybersecurity Certifications [2022 Updated]". Available: https://www.coursera.org/articles/popular-cybersecurity-certifications [Accessed 28 April 2022].</ref><br />
<br />
===Senior-Level Incident Response Positions===<br />
<ul><br />
<li><h5 id="intrusion-detection-specialist">Intrusion detection<br />
specialist:</h5></li><br />
</ul><br />
<p>A CISSP certification might help a potential candidate in preparing<br />
for the profession. The role of an intrusion detection specialist is to<br />
find and stop any unwanted communications.</p><br />
<ul><br />
<li><h5 id="incident-manager">Incident manager:</h5></li><br />
</ul><br />
Expected to plan, oversee, manage, and supervise all incident<br />
response team actions. Is in charge of reporting all current events to<br />
senior management and stakeholders, as well as acting as the technical<br />
lead on active incidents for incident responders. Prepares threat and<br />
impact assessments and reports them known to management.<ref name="coursera"></ref><br />
<br />
==Certificates== <br />
There is a vast number of different certificates and the road map to<br />
being a certified professional could be very different<ref name="Coursera">Coursera, "10 Popular Cybersecurity Certifications [2022 Updated]," [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications. [Accessed 30 Apr 2022].</ref><br />
<ref name="NICCS">NICCS, "Cybersecurity Certifications," [Online]. Available: hhttps://niccs.cisa.gov/about-niccs/cybersecurity-certifications. [Accessed 30 Apr 2022].</ref> . One possible<br />
approach is to start with basic certificates from the different branches<br />
of service and move to more specific and demanding focused<br />
certification. Also, some jobs require certain clearances, either from<br />
industry, or from the government. One small selection of different<br />
possible certificates is brought out in following paragraphs.<br />
<br />
Security+ is a CompTIA certification that is considered a basic cert<br />
among cybersecurity professionals. It covers the topics of risk<br />
management and threat assessment.<br />
Network+ is also offered by CompTIA this certification (like the name<br />
implies) focuses on networking infrastructure and operations. It is<br />
considered a foundational certification.<br />
The Certified Information Systems Security Professional (CISSP) is a<br />
more advanced certification designed for cybersecurity professionals<br />
with at least five years of work experience. The certification covers<br />
topics such as architecture, engineering, and management.</p><br />
The Certified Ethical Hacker (CEH) certification is also considered a<br />
more advanced cert because it generally requires that applicants have<br />
multiple years of work experience. The goal of an ethical hacker<br />
certification is to be able to understand how cyber attacks unfold in<br />
order to improve threat assessment and mitigation skills.<ref name="cyberguide">Cybersecurity Guide, "How to become a cybersecurity specialist", [Online]. Available: https://cybersecurityguide.org/careers/security-specialist/. [Accessed 27 April 2022].</ref><br />
This is definitely not all, when one looks for more information, following link could be searched, to get more in depth knowledge about<br />
different possibilities.<br />
<br />
Hereby, with the help of this matrix a possible taxonomy of different 436 listed certificates in branches are<br />
presented.<ref name="Pauljeremy">"Cybersecurity Roadmap," [Online]. Available: https://pauljerimy.com/2020/10/12/scr-oct-2020-update/. [Accessed 30 Apr 2022].</ref><br />
<br />
[[File:analystimage5.png|1000px|thumb|Certificate matrix <ref>"Certification roadmap". Available at https://pauljerimy.com/security-certification-roadmap</ref>]]<br />
<br />
=== Communication and Network Security===<br />
Communication and network security covers the ability to secure<br />
communication channels and networks. Topics include secure and converges<br />
protocols, wireless networks, cellular networks, hardware operations<br />
(warranty and redundant power), and third-party connectivity. IP<br />
networking are also included in this domain.<br />
===Identity and Access Management===<br />
The identity and access management domain covers the attacks that<br />
target the human gateway to gain access to data. Other topics include<br />
ways to identify users with rights to access the information and<br />
servers. Identity and access management covers the topics of<br />
applications, Single sign-on authentication, privilege escalation,<br />
Kerberos, rule-based or risk-based access control, proofing and<br />
establishment of identity.<br />
===Security Architecture and Engineering===<br />
The security architecture and engineering domain covers important<br />
topics concerning security engineering plans, designs and principles,<br />
Topics include assessing and mitigating information system<br />
vulnerabilities, fundamental concepts of security models and security<br />
architectures in critical areas like access control. Cloud systems,<br />
cryptography, system infiltrations (ransomware, fault-injection and<br />
more) and virtualized systems are also covered in this domain.<br />
===Asset Security===<br />
The Asset Security domain deals with the issues related to the<br />
collection, storage, maintenance, retention and destruction of data. It<br />
also covers knowledge of different roles regarding data handling (owner,<br />
controller and custodian) as well as data protection methods and data<br />
states. Other topics include resource provision, asset classification<br />
and data lifecycle management.<br />
===Security and Risk Management===<br />
The security and risk management domain covers general on skills<br />
related to the implementation of user awareness programs as well as<br />
security procedures. Emphasis is also placed on risk management<br />
concerning the acquisition of new services, hardware and software<br />
(supply chain). Other skills include social engineering defense<br />
mechanisms.<br />
===Security Assessment and Testing===<br />
The security assessment and testing domain deals with all the<br />
techniques and tools used to find system vulnerabilities, weaknesses and<br />
potential areas of concern not addressed by security procedures and<br />
policies. Attack simulations, vulnerability assessment, compliance<br />
checks, and ethical disclosure also fall under this domain.<br />
===Software Security===<br />
The software development security domain deals with implementing<br />
software-based security protocols within environment for which the IT<br />
professional is responsible. Risk analysis, vulnerability identification<br />
and auditing of source codes are all covered in this subset. Additional<br />
topics include software-designed security, maturity models, development<br />
methodologies, open-source and third-party development security.<br />
===Security operations===<br />
The security operations domain covers topics ranging from<br />
investigations and digital forensic to detection and intrusion<br />
prevention tools, sandboxing and firewalls. Topics include user and<br />
entity behavior analytics, threat intelligence (threat hunting and<br />
threat feeds) log management, artifacts (mobile, computer and network),<br />
machine learning and AI-based tools, penetration testing, and<br />
exploitation development. These for sub-domains are lister here.</p><br />
<li>Forensics</li><br />
<li>Incident Handling</li><br />
<li>Penetration Testing</li><br />
<li>Exploitation</li><br />
<br />
==Education==<br />
[[File:Analystimage7.png|400px|thumb|Comparison degree vs Certificate <ref>"Comparison Table". Available at https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</ref>]]<br />
The entry level monitoring specialist is hired by Estonian<br />
Information System Authority even if there is no formal IT education,<br />
but readiness to learn and moderate knowledge of different operation<br />
systems is enough to start the career. <ref name="cv">cv.ee, "SEIRESPETSIALIST - tule Eesti küberruumi valvuriks!". Available: https://www.cv.ee/en/vacancy/792782/riigi-infosusteemi-amet/seirespetsialist-tule-eesti-kuberruumi-valvuriks [Accessed 28 April 2022].</ref><br />
Nevertheless, like most other high qualification careers jobs falling<br />
under the cybersecurity specialist category require some form of formal<br />
education. However, since cybersecurity specialist jobs can fall across<br />
a wide spectrum of job descriptions and responsibilities, it is possible<br />
to obtain a specialist job after completing many levels of different<br />
computer related education.<br />
<br />
If one is looking for a cybersecurity related education, for example<br />
in EU, 137 courses/programs could be found that relate to keyword IT or<br />
cybersecurity. <ref name="enisa">ENISA (European Union Agency for Cybersecurity), "Cybersecurity Education-Cybersecurity Higher Education Database". Available: https://www.enisa.europa.eu/topics/cybersecurity-education/education-map/education-courses [Accessed 26 April 2022].</ref><br />
<br />
Also, there is a great amount of discussion, if cyber security<br />
professional should have a degree or would be certification just enough.<br />
One interesting table is produces by Franklin University that compares<br />
benefits and/or drawbacks of each type of credential.<ref name="franklin">Franklin University, "Is Getting a Master's Degree in Cyber Security Worth It?". Available: https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it [Accessed 28 April 2022].</ref><br />
<br />
Certifications are generally good for people with little practical<br />
experience because they are known quantities in the industry and can<br />
help you get your foot in the door. They set a minimum knowledge bar.<br />
But some certifications are viewed more favorably than others.<br />
Certifications with renewal requirements are viewed better by hiring<br />
managers, but they also more costly in the long run because of the need<br />
for continuing education. Certifications are also good for showing<br />
in-depth expertise in a specialization within cybersecurity. Depending<br />
on your career goals, it may be advantageous to have a master’s<br />
degree—which shows your breadth of knowledge, critical thinking and<br />
leadership skills—and a certificate—which shows specific skill<br />
competency.<ref name="franklin"></ref><br />
As IT (Cyber) Security is still a relatively young discipline,<br />
universities and colleges are still figuring out which is the best<br />
approach for their degrees. Study programmes and curricula in Cyber<br />
Security are different. In general, here are the duration of Cyber<br />
Security degrees:<br />
<ref name="studyportal">Studyportals, "Why You Should Study a Cyber Security Degree in 2022". Available: https://www.mastersportal.com/articles/2722/why-you-should-study-a-cyber-security-degree-in-2022.html [Accessed 28 April 2022].</ref><br />
<ul><br />
<li><p>Bachelor’s degrees in Cyber Security take 3 or 4 years in most<br />
countries.</p></li><br />
<li><p>Master’s courses in Cyber Security take between 1-2 years to<br />
complete.</p></li><br />
<li><p>PhD programmes in Cyber Security last 3-5 years. Some only take 1<br />
or 2 years, but they are less common.</p><br />
</li><br />
</ul><br />
<br />
Generalization could me made that on bachelor level the general<br />
knowledge about the cyber issues are obtained. On master level the<br />
specialization courses are taken and the person can choose more specific<br />
topics to study. It is on master level where strengths of the cyber<br />
specialist can be developed further and up-do date knowledge obtained in<br />
specifics. PhD is serious science and involves teaching, lot of<br />
scientific work and writing for publications.<br />
<br />
==Salary==<br />
<p>Even if the salary can be very different, compared to the skills and<br />
experience, an generalization can be made. Cyber Security professionals<br />
in CSIRT, and in other entities earn quite well, from the start. First,<br />
some comparison from the United States. The average CSIRT analyst salary<br />
in the USA is $97,500 per year or $50 per hour. Entry level positions<br />
start at $48,875 per year while most experienced workers make up to<br />
$135,373 per year.<ref name="talent">talent.com, "Csirt Analyst average salary in USA 2022". Available: https://www.talent.com/salary?job=csirt+analyst [Accessed 28 April 2022].</ref><br />
<br />
There are multiple positions you can occupy in this field. They have<br />
in common great salaries and high demand for technical skills, attention<br />
to details, problem-solving mentality, and the ability to analyze risks.<br />
Here are the average annual salaries in the United States, according to<br />
Payscale: <ref name="studyportal"></ref><br />
<ul><br />
<li><p>Cryptographer – 100,000 USD</p></li><br />
<li><p>Information Security Officer – 91,000 USD</p></li><br />
<li><p>Security Assessor – 90,000 USD</p></li><br />
<li><p>Security Engineer – 88,000 USD</p></li><br />
<li><p>Penetration Tester – 81,000 USD</p></li><br />
<li><p>Forensics Expert – 71,000 USD</p></li><br />
<li><p>Security Administrator – 65,000 USD</p><br />
</ul><br />
When looking into salaries in Estonia, one can find that there is a<br />
discussion that private sector is taking a toll from the public sector,<br />
and that the salaries in important agencies, as Information System<br />
Authority loose their employees to the better paid positions in private<br />
sector.<ref name="digigeenius">DiGi Geenius, "Kui-palju-riigi-jaoks-olulised-it-tootajad-tegelikult-palka-saavad". Available: https://digi.geenius.ee/rubriik/uudis/kui-palju-riigi-jaoks-olulised-it-tootajad-tegelikult-palka-saavad/ [Accessed 28 April 2022].</ref><br />
<ref name="tehnika">Postimees, "Riigi-it-tootajate-palgamaarad-kasvasid". Available: https://tehnika.postimees.ee/6887428/riigi-it-tootajate-palgamaarad-kasvasid [Accessed 28 April 2022].</ref><br />
But there is also a different view that average private sector worker<br />
could be hired as a top specialist in public sector and then the payment<br />
is higher. Nevertheless, it seems that the average payment in cyber<br />
security sector is any way higher that in other parts of the<br />
e-services. <ref name="digigeenius2">DiGi Geenius, "5000-eurostest-palkadest-it-tootajad-saavadki-palju-palka". Available: https://digi.geenius.ee/rubriik/uudis/5000-eurostest-palkadest-it-tootajad-saavadki-palju-palka [Accessed 28 April 2022].</ref><br />
<br />
==SOC==<br />
<p>A SOC is a facility where an organization’s network, applications,<br />
and endpoints are monitored and defended. The term was adapted from<br />
network operations centers (NOCs), where large telecommunication or<br />
corporate networks are monitored. When network security became more of a<br />
concern, security teams were formed within the NOCs, and eventually spun<br />
off into larger organizations of their own as the responsibilities of<br />
security teams grew increasingly complex and specialized. The security<br />
staff working in a security operations center are often called the SOC<br />
team.<ref name="exabeam">Exabeam, "CSIRT". Available: https://www.exabeam.com/incident-response/csirt/ [Accessed 28 APr 2022].</ref><br />
<br />
<p>Functions of the SOC team include, but are not limited to:<ref name="trellix">Trellix, "What Is a Security Operations Center (SOC)?". Available: https://www.trellix.com/en-us/security-awareness/operations/what-is-soc.html [Accessed 30 APr 2022].</ref></p><br />
<ol type="1"><br />
<li>Taking inventory of resources, to get a better understanding of the<br />
structure they are protecting.</li><br />
<li>Maintanence of the system, by constantly making updates and adding<br />
safeguards.</li><br />
<li>Monitoring the network for abnormalities with special tools.</li><br />
<li>Threat analysis of new attacks and vulnerabilities.</li><br />
<li>Responding to attacks, by acting as “first responders”. The SOC team<br />
will shut down and/or isolate endpoints, deleting files and lowering the<br />
impact as fast as possible.</li><br />
<li>Recovery of system stability and lost data. This may be done using<br />
backups, restarting endpoints or reconfiguring systems.</li><br />
<li>Logging all actions on the system, to be later used for analysis or<br />
forensics after an attack.</li><br />
<li>Investigating the root cause of an attack.</li><br />
<li>Auditing their own actions, to be in line with regulations of the<br />
organization, industry or governing body.</li><br />
</ol><br />
<br />
==CSIRT==<br />
<p>A CSIRT is a group that responds to security incidents when they<br />
occur. Key responsibilities of a CSIRT include:<br />
<ref name="exabeam"></ref><br />
===Creating and maintaining an incident response plan (IRP)===<br />
An incident response plan (IRP) is a set of written instructions for<br />
detecting, responding to and limiting the effects of an information<br />
security event. Incident response plans provide instructions for<br />
responding to many potential scenarios, including data breaches, denial<br />
of service/distributed denial of service attacks, firewall breaches,<br />
virus or malware outbreaks or insider threats. Without an incident<br />
response plan in place, organizations may either not detect the attack<br />
in the first place, or not follow proper protocol to contain the threat<br />
and recover from it when a breach is detected.<br />
<ref name="stratacore">Stratacore, "Incident Response Plan (IRP)". https://www.stratacore.com/incidentresponseplan [Accessed 28 April 2022].</ref><br />
<br />
===Investigating and analyzing incidents===<br />
CSIRTs are also involved in improvement activities. After major<br />
computer security incidents occur, or when incidents are not handled in<br />
a timely or effective manner, a CSIRT will generally perform a<br />
postmortem of the incident and its response. This postmortem will<br />
identify the strengths and weakness of the response effort. Such reviews<br />
can identify weaknesses and holes in systems, infrastructure defenses,<br />
or policies that allowed the incident to take place. It can also<br />
identify problems with communication channels, interfaces, and<br />
procedures that inhibited the efficient resolution of the reported<br />
problem.<br />
<ref name="cisa">CISA (Cybersecurity & Infrastructure Security Agency, "Defining Computer Security Incident Response Teams". https://www.cisa.gov/uscert/bsi/articles/best-practices/incident-management/defining-computer-security-incident-response-teams [Accessed 28 April 2022].</ref><br />
<br />
===Managing internal communications and updates during or immediately after incidents occur===<br />
===Communicating with employees, shareholders, customers, and the press about incidents as needed===<br />
There are various services within the CSIRT Services Framework that<br />
address communications, as they relate to security operations and<br />
incident response services. Some of these include Information Security<br />
Incident Coordination, Crisis Management Support, Vulnerability<br />
Disclosure, Situational Awareness Communication, and Awareness Building,<br />
to name a few. Sharing information and communicating with the general<br />
public and/or your constituency is appropriate in many different<br />
scenarios. These can range from proactive communications to reactive<br />
communications. Each scenario may be unique, and careful consideration<br />
should be given to when to release information to the public and what<br />
information should be released.<br />
<ref name="CMUni">Carniege Mellon University, Brittany Manley, David McIntire "A Guide to Effective Incident Management Communications". https://resources.sei.cmu.edu/asset_files/Handbook/2021_002_001_651819.pdf [Accessed 28 April 2022].</ref><br />
<br />
===Remediating incidents===<br />
Threat remediation is a strong and capable tool for fighting the<br />
cyber security compromises. As the word ‘remedy’ suggests, remediation<br />
process involves the treatment of a security breach. With the<br />
remediation practices, your cyber security team is able to eliminate<br />
suspicious activities and malicious attacks in the form of malware,<br />
ransomware, phishing and such. Even if you ‘kill’ the suspicious<br />
activity, the attackers can remain in your systems. If you want to<br />
contaminate and end the problem for good, your remediation processes<br />
must involve the detection of the cause. <ref name="logsign">Logsign, "What-is-remediation-in-cyber-security". Available: https://www.logsign.com/blog/what-is-remediation-in-cyber-security/. [Accessed 28 Apr 2022].</ref><br />
<br />
===Recommending technology, policy, governance, and training changes after security incidents===<br />
After all these actions, the SCIRT must contribute to the development<br />
of better policies, practices and has to recommend improvements. They<br />
are not working in the vacuum and their work has to create new and<br />
better standards for cyber security. <ref name="exabeam">Exabeam, "CSIRT". Available: https://www.exabeam.com/incident-response/csirt/ [Accessed 28 APr 2022].</ref><br />
<br />
==CERT==<br />
The term “computer emergency response team” was coined in 1988. In<br />
response to the Morris worm attack that impacted thousands of servers on<br />
the Internet, DARPA funded the formation of the Computer Emergency<br />
Response Team Coordination Center (CERT-CC) at Carnegie Mellon<br />
University. The goal of CERT-CC was to help protect the internet by<br />
collecting and disseminating information on critical security<br />
vulnerabilities. Several other countries formed similar centers using<br />
the same acronym (despite threats of legal action by Carnegie Mellon for<br />
trademark infringement). Now the term CERT refers to any emergency<br />
response team that deals with cyber threats. Many people use CERT-CC<br />
interchangeably with CSIRT, though the charter of a CERT is information<br />
sharing in order to help other response teams respond to threats against<br />
their own infrastructure. <ref name="exabeam"></ref><br />
<br />
In general, the designation of CERT is helpful in applying real-world<br />
solutions to various cybersecurity problems. They may be government<br />
contractors or employees of a major corporation. For example, the U.S.<br />
Computer Emergency Readiness Team (US-CERT) operates under the U.S.<br />
Department of Homeland Security.<br />
<ref name="techopedia">Techopedia, "Computer Emergency Response Team (CERT)". Available: https://www.techopedia.com/definition/31003/computer-emergency-response-team-cert. [Accessed 25 April 2022].</ref><br />
<br />
In Estonia CERT is designated as CERT-EE. It was established in 2006,<br />
as an organization responsible for the management of security incidents<br />
in .ee computer networks. It is also a national contact point for<br />
international co-operation in the field of IT security. <ref name="ria">Information System Autority, "CERT-EE". Available: hhttps://www.ria.ee/en/cyber-security/cert-ee.html [Accessed 25 April 2022].</ref><br />
<br />
==Difference between SOC/CSIRT/CERT==<br />
[[File:analystimage3.png|300px|thumb|SOC/CSIRT/CERT <ref name="exabeam></ref>]]<br />
How CSIRTs differ from CERTs and SOCs. There are overlapping<br />
responsibilities between a community emergency response team (CERT),<br />
computer security incident response team (CSIRT), and security<br />
operations center (SOC). To add to this confusion, frequently, the terms<br />
CERT and CSIRT are used interchangeably, despite the important<br />
differences. <ref name="exabeam"></ref><br />
<br />
==Understand the primary roles and characteristics of a CERT, CSIRT, and SOC.==<br />
[[File:analystimage4.png|600px|thumb|Primary Roles of CERT, CSIRT, and SOC<ref name="exabeam></ref>]]<br />
<p>So, using strict definitions, a CERT collects and disseminates<br />
security information, typically for the benefit of a country or an<br />
industry. A CSIRT is a cross-functional team that responds to incidents<br />
on behalf of a country or an organization. A SOC is where a country or<br />
organization monitors and defends its network, servers, applications,<br />
and endpoints. <ref name="exabeam"></ref><br />
<br />
==Future==<br />
<p>And the Cyber security problem is only getting bigger. According to a<br />
report published by Accenture, the number of cyber security breaches<br />
increased by 11 percent from 2017 to 2018. The cost of such breaches is<br />
astronomical–about $600 billion worldwide, according to the Economic<br />
Impact of Cybercrime report.<br />
<ref name="ecpi">ECPI, "What-is-digital-forensics-in-cybersecurity". Available: https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me [Accessed 27 April 2022].</ref><br />
<br />
Job projections for cybersecurity are staggering. The Bureau of Labor<br />
Statistics in US predicts that careers in the cybersecurity field will<br />
grow by 32% by 2028. That makes cybersecurity one of the top 10<br />
fastest-growing jobs in the country. In the United States alone, jobs<br />
for Information Security Analysts are expected to grow by 15% by<br />
2024.<ref name="franklin"></ref><br />
<br />
Most likely this trend is also similar in other countries.</p><br />
<br />
When checking Estonian job portals, there is a constant need for<br />
people for cyber security related positions. Also, linkedin search gives<br />
approximately 30 vacancies immediately. There are banks, logistics<br />
companies, e-shops, and software producers. <ref name="linkedin">LinkedIn, "Cyber Security Jobs". Available: ttps://ee.linkedin.com/jobs/cyber-security-jobs?countryRedirected=1&amp;position=1&amp;pageNum=0 [Accessed 28 April 2022].</ref><br />
<br />
Trends that affect companies create need for constant cyber security<br />
services. Increasing number of home/remote offices require secure<br />
corporate networks and security of remote devices. One example is from<br />
this year, when sloppy remote desktop set-up paralyzed systems of 17<br />
companies.<br />
<ref name="aripaev">Äripäev, "RIA: lohakas kaugtöölaua seadistus halvas märtsis 17 ettevõtte IT-süsteemid"Available: ttps://www.aripaev.ee/uudised/2022/04/20/ria-lohakas-kaugtoolaua-seadistus-halvas-martsis-vahemalt-17-juhul-ettevotete-it-susteemid [Accessed 28 April 2022].</ref><br />
<br />
Also, no service can exists without robust infrastructure - servers,<br />
databases, applications. As all previously mentioned devices and<br />
services are at constant scanning and surveillance. So, the breach<br />
detection and immediate action demands 24/7 services. Even if lot of<br />
things could be automated, there is a need for human specialists (at<br />
least, at the moment). Third growing field is also a forensic<br />
investigation, as every attack must be investigated in order to be ready<br />
to repel next attacks. So data recovery and evidence collection is<br />
another important field of work that need skilled and professional<br />
workers.<br />
Even, if the specifics of the entity, be it CSIRT, CERT or SOC, are<br />
different, the fundamentals of the work are the same. Professional<br />
knowledge of the networks, operational systems, hardware, scripting, and<br />
several other wider IT related knowledge is needed. As there is no<br />
single way to reach to it, every single person can find one’s strongest<br />
sides and develop them with knowledge of weaker side, in order to know,<br />
when to as for help.<br />
==Sources==</div>Mavaldhttps://wiki.itcollege.ee/index.php?title=Hiring_a_Cyber_Security_Incident_Analyst&diff=142284Hiring a Cyber Security Incident Analyst2022-05-01T16:21:40Z<p>Mavald: /* Digital forensics */</p>
<hr />
<div>==A Cyber Security Incident Analyst==<br />
<br />
[[File:image1.png|600px|thumb|Job advertisement <ref>"Job Advertisement". Available at https://www.projectpeople.com/jobs/</ref>]]<br />
===Cyber security incident analyst in SOC/CSIRT/CERT===<br />
This article delves into the job title of Cyber Security Incident<br />
Analyst and provides an overview of the acronyms SOC/CSIRT/CERT. A brief<br />
history of the job is discussed here, as well as a possible career path,<br />
education, experience, and other characteristics required for work in<br />
computer security-related organizations. The article also provides a<br />
brief history of SOC/CSIRT/CERT, as well as a comparison of their<br />
differences and similarities.<br />
===Cyber Security Incident Analyst Skill Set===<br />
What skill set is expected from the Cyber Security Incident Analyst? Below written lines are taken from the same job advertisement depicted<br />
on the left side of this article:<br />
As a Security Incident Analyst your responsibilities will include:<br />
<ul><br />
<li>Continuous monitoring of security tooling</li><br />
<li>Performing regular and ad-hoc vulnerability assessments</li><br />
<li>Carrying out ‘spot checks’</li><br />
<li>Reporting vulnerabilities to the PVG via the alerts system</li><br />
<li>Maintaining and documenting logging systems</li><br />
<li>Developing centralized logging, reporting and intelligence<br />
platforms</li><br />
<li>‘Light touch’ penetration testing with open source tooling<br />
(Metasploit)</li><br />
</ul><br />
Knowledge &amp; Experience required:<br />
<ul><br />
<li>SOC, CSIRT or CERT operational environment experience</li><br />
<li>Windows / Linux experience</li><br />
<li>TCP /IP networking protocol knowledge</li><br />
<li>Experience reviewing and analyzing Security Events from various<br />
monitoring and logging sources</li><br />
<li>Experience in website and web application security assessment or<br />
penetration testing</li><br />
<li>Experience of using Metasploit</li><br />
<li>Scripting knowledge using BASH, Python, Perl, Ruby</li><br />
<li>Skills in Host and Network Forensics</li><br />
</ul><br />
As one can see the description of the duties is wide and also the<br />
knowledge and experience that is required is noteworthy. So, where to<br />
start to find out the way to get this kind of knowledge and<br />
expertize.<br />
===Possible career path===<br />
Next part of the paper is aiming to depict a possible ways, how to<br />
develop oneself, and move along the career pathway in cybersecurity<br />
field. Topics of development, education, experience and certification<br />
are covered.<br />
[[File:analystimage2.png|1000px|thumb|Career path <ref>"Possible Career Path". Available at https://www.cyberseek.org/pathway.html</ref>]]<br />
<br />
===Junior/Senior===<br />
Start with an entry-level job in IT. Hands-on experience is often the<br />
most effective way to prepare for certification exams. Start<br />
accumulating work experience with an entry-level role as a cybersecurity<br />
analyst. Many cybersecurity professionals start off in more general IT<br />
roles. The skills, practices, and technologies you’ll use as a<br />
cybersecurity professional will continue to evolve along with computer<br />
and network technology. The desire to learn, ability to problem solve,<br />
and attention to detail will serve you well in this field. Other, more<br />
technical skills and technologies to learn include:<ref name="certification">Popular Cyber Security Certificates [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications [Accessed 25 April 2022].</ref><br />
<br />
====SIEM tools (security information and event management)====<br />
Security Information and Event Management (SIEM) is a set of tools<br />
and services offering a holistic view of an organization’s information<br />
security. SIEM works by combining two technologies:<br />
<li>Security information management (SIM), which collects data from log<br />
files for analysis and reports on security threats and events, and</li><br />
<li>security event management (SEM), which conducts real-time system<br />
monitoring, notifies network admins about important issues and<br />
establishes correlations between security events. There are a number of<br />
security information and event management solutions on the market.<br />
ArcSight ESM, IBM QRadar and Splunk are among the most popular. <ref name="SIEM">Application security, SIEM [Online]. Available: https://www.imperva.com/learn/application-security/siem/. [Accessed 27 4 2022].</ref></li><br />
<br />
====Firewalls, Intrusion Detection Systems (IDS), and Intrusion Prevention Systems(IPS)====<br />
Firewalls can be two types, hardware and software firewalls. Software<br />
firewall is a firewall that is installed on a computer or server, and<br />
tasked with network security. It works with a wide variety of other<br />
technology security solutions to provide more robust and cohesive<br />
security for enterprises of all sizes. When a software firewall is<br />
installed on a server, it opens up like an umbrella of protection over<br />
all other computers connected to the network. It is able to monitor both<br />
incoming and outgoing traffic for potential risk or suspicious user<br />
behavior, and also makes setting security policies much easier, faster<br />
and more flexible. Hardware firewall is positioned between the network<br />
and devices, allowing traffic to funnel through the firewall for a close<br />
inspection and analysis. A hardware firewall, a term often<br />
interchangeable with network or next-generation firewall, protects the<br />
network gateways for an enterprise. Hardware firewall is physical<br />
hardware, installed between network elements and connected devices, and<br />
is tasked with filtering traffic for cyber threat to the network or<br />
devices. Filtering out unauthorized or suspicious users based on traffic<br />
analysis is one of the biggest benefits of hardware firewall. <ref name="sangfor">Sangfor, "What is Software Firewall? Difference between Hardware Firewall and Software Firewall, [Online]. Available: https://www.sangfor.com/blog/cybersecurity/what-is-software-firewall-difference-between-hardware-firewall-and-software-firewall [Accessed 26 4 2022].</ref><br />
<br />
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems<br />
(IPS) are both parts of the network infrastructure. IDS/IPS compare<br />
network packets to a cyberthreat database containing known signatures of<br />
cyberattacks — and flag any matching packets. IDS doesn’t alter the<br />
network packets in any way, whereas IPS prevents the packet from<br />
delivery based on the contents of the packet, much like how a firewall<br />
prevents traffic by IP address. <ref name="Varonis">Varonis, "What is Software Firewall? IDS vs. IPS: What is the Difference?, [Online]. Available: https://www.varonis.com/blog/ids-vs-ips [Accessed 26 4 2022].</ref><br />
<br />
====Digital forensics====<br />
Digital forensics is a branch of forensic science that focuses on<br />
identifying, acquiring, processing, analyzing, and reporting on data<br />
stored electronically. Electronic evidence is a component of almost all<br />
criminal activities and digital forensics support is crucial for law<br />
enforcement investigations. Electronic evidence can be collected from a<br />
wide array of sources, such as computers, smartphones, remote storage,<br />
unmanned aerial systems, shipborne equipment, and more.<ref name="interpol">Interpol, "Digital forensics". Available: https://www.interpol.int/How-we-work/Innovation/Digital-forensics. [Accessed 28 4 2022].</ref> <br />
Investigative process of digital forensics can be divided into several stages. There are four major stages: preservation, collection,<br />
examination, and analysis. All these four stages need a deep understanding of computers, technology across a broad spectrum, and cybersecurity principles and<br />
practices, a working knowledge of computers, networks, and coding, in-depth investigative abilities, critical-thinking skills and analytical talent the ability to effectively communicate and work with a<br />
wide range of people. <ref name="ecpi1">"Digital forensics". Available: https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me. [Accessed 26 4 2022].</ref><br />
<br />
====Mobile device management====<br />
Mobile device management (MDM) is software that allows IT<br />
administrators to control, secure and enforce policies on smartphones,<br />
tablets and other endpoints. Mobile device management software emerged<br />
in the early 2000s as a way to control and secure the personal digital<br />
assistants and smartphones that business workers began to use. The<br />
consumer smartphone boom that started with the launch of the Apple<br />
iPhone in 2007 led to the bring your own device (BYOD) trend, which<br />
fueled further interest in MDM.<ref name="techtarget">Techtarget, "Mobile Device Management". Available: https://www.techtarget.com/searchmobilecomputing/definition/mobile-device-management [Accessed 27 4 2022].</ref><br />
<br />
====Data management====<br />
Sometimes the data management is neglected, but this part has a<br />
crucial role when learning for good cyber security practices. Majority<br />
of cyber security programs include a special courses on data management.<br />
Data management is a method of organizing and maintaining data processes<br />
that are required in almost every business operations. The benefits of<br />
data management can be found accounting, statistics, logistics planning<br />
and other disciplines including corporate computing.<ref name="GlobalUni">Global Universities, "MSc Data Management and Cyber Security". Available: https://globaluniversities.in/msc-data-management-cyber-security. [Accessed 26 Apr 2022].</ref><br />
Data governance (and management) play a fundamental role in<br />
protecting an organization’s data. Ensuring that the right people have<br />
the right access and that appropriate security controls are in place to<br />
protect each system or service, based on the criticality or sensitivity<br />
of the data sets these contain. <ref name="CyberMagazine">Cyber Security Magazine, "The Role of Data Governance in Cybersecurity". Available: https://cybersecurity-magazine.com/the-role-of-data-governance-in-cybersecurity/?utm_source=rss&amp;utm_medium=rss&amp;utm_campaign=the-role-of-data-governance-in-cybersecurity. [Accessed 26 Apr 2022].</ref><br />
<br />
====Application security development====<br />
Application security describes security measures at the application<br />
level that aim to prevent data or code within the app from being stolen<br />
or hijacked. It encompasses the security considerations that happen<br />
during application development and design, but it also involves systems<br />
and approaches to protect apps after they get deployed. Application<br />
security may include hardware, software, and procedures that identify or<br />
minimize security vulnerabilities.<ref name="vmware">VmWare, "What is application security?". Available: https://www.vmware.com/topics/glossary/content/application-security.html [Accessed 28 April 2022].</ref><br />
Application security development is important to ensure that your<br />
application is free from coding errors and bugs. And controls the risk<br />
and helps safeguard against security vulnerabilities. Application<br />
security development is the process of making applications more secure<br />
by finding and fixing security vulnerabilities. This is often done by<br />
enforcing software security best practices and using application<br />
security testing tools. <br />
<ref name="perforce">Perforce, "Application Security Development Best Practices". Available: https://www.perforce.com/blog/kw/application-security-development-best-practices. [Accessed 28 April 2022].</ref><br />
<br />
====Audit and compliance knowledge====<br />
A cyber security audit is designed to be a comprehensive review and<br />
analysis of your business’s IT infrastructure. It identifies threats and<br />
vulnerabilities, exposing weaknesses and high-risk practices.<br />
Regulations such as the EU GDPR (General Data Protection Regulation) can<br />
impose hefty penalties in the event of a breach that results in<br />
exploited data. A cyber security audit will help mitigate the<br />
consequences of a breach and demonstrate that your organization has<br />
taken the necessary steps to protect client and company data. <ref name="cyforsecure">Cyfor Secure, "What is a Cyber Security Audit and how can it help your organisation?". Available: https://cyforsecure.co.uk/services/cyber-assessment/cyber-security-audit/. [Accessed 28 April 2022].</ref><br />
<br />
Cybersecurity compliance is the organizational risk management method<br />
aligned with pre-defined security measures &amp; controls on how data<br />
confidentiality is ensured by its administrative procedures.<ref name="nordlayer">NordLayer, "Cybersecurity compliance: Everything you need to know". Available: https://nordlayer.com/blog/cybersecurity-compliance-everything-you-need-to-know/. [Accessed 28 April 2022].</ref><br />
All needed skills are developed through courses and certification.<br />
<br />
===Entry-Level Incident Response Positions===<br />
It is not always possible to advance to the position of incident<br />
responder in a straight line. Many professionals advance from entry- to<br />
mid-level positions before becoming a real incident responder or a<br />
member of a computer emergency response team (CERT).<br /><br />
These are some examples: <ref name="Infosec">Infosec, "Incident Responder Career Roadmap: From Entry Level to Executive". Available: https://resources.infosecinstitute.com/topic/incident-responder-career-roadmap-entry-level-executive/ [Accessed 28 April 2022].</ref></p><br />
<ul><br />
<li><h5 id="network-administrator">Network administrator</h5><br />
<p>This position’s experience will help potential incident responders<br />
develop networking skills. Attention to detail, as well as the ability<br />
to sift through system configurations, site layouts, and general network<br />
and communication setups, are essential in this field.</p></li><br />
<li><h5 id="system-administrator">System administrator</h5><br />
<p>Another crucial beginning point for an incident responder is to learn<br />
how to manage resources inside your organization as well as user<br />
behavior. Understanding the potential damage that users, inadequate<br />
security setups, and ineffective IT policies and procedures can cause on<br />
your network can provide prospective candidates with insight into the<br />
human component of an incident.</p></li><br />
<li><h5 id="security-administrator">Security administrator</h5><br />
<p>In such a position, basic hacking skills, penetration testing, and<br />
intrusion detection are all learned, which are crucial incident<br />
responder skills when trying to replicate a breach or attack.<br />
Understanding the paths a cybercriminal will take when attempting to<br />
damage or obtain access to a system can greatly simplify the work of<br />
reverse engineering the incident.</p></li><br />
</ul><br />
<br />
=== Mid-Level Incident Response Positions ===<br />
<ul><br />
<li><h5<br />
id="computer-security-incident-response-team-csirt-engineer">Computer<br />
security incident response team (CSIRT) engineer</h5></li><br />
<li><h5 id="cyber-incident-responder">Cyber incident responder</h5></li><br />
<li><h5 id="incident-response-engineer">Incident response<br />
engineer</h5></li><br />
</ul><br />
<p>While each of these positions is different, they generally require<br />
very similar skills and characteristics in a candidate. At this level,<br />
personal characteristics such as problem solving, time management, and<br />
even presentation skills become more crucial as one’s career evolves<br />
into a management-facing role.</p><br />
<p>Technical skills include the ability to identify and minimize threats<br />
while maintaining communication with management and the rest of your<br />
team. Data analysis and evidence gathering become increasingly crucial,<br />
and the circumstances in which your services are deployed get more<br />
serious.</p><br />
Problem-solving skills are crucial at this level of incident<br />
response, and as the stakes rise, so does the pressure in each<br />
situation. At this level, programming abilities are essential since<br />
incident responders may be needed to reverse engineer malicious code or<br />
even create patches for vulnerable network applications or services. <ref name="coursera">Coursera, "10 Popular Cybersecurity Certifications [2022 Updated]". Available: https://www.coursera.org/articles/popular-cybersecurity-certifications [Accessed 28 April 2022].</ref><br />
<br />
===Senior-Level Incident Response Positions===<br />
<ul><br />
<li><h5 id="intrusion-detection-specialist">Intrusion detection<br />
specialist:</h5></li><br />
</ul><br />
<p>A CISSP certification might help a potential candidate in preparing<br />
for the profession. The role of an intrusion detection specialist is to<br />
find and stop any unwanted communications.</p><br />
<ul><br />
<li><h5 id="incident-manager">Incident manager:</h5></li><br />
</ul><br />
Expected to plan, oversee, manage, and supervise all incident<br />
response team actions. Is in charge of reporting all current events to<br />
senior management and stakeholders, as well as acting as the technical<br />
lead on active incidents for incident responders. Prepares threat and<br />
impact assessments and reports them known to management.<ref name="coursera"></ref><br />
<br />
==Certificates== <br />
There is a vast number of different certificates and the road map to<br />
being a certified professional could be very different<ref name="Coursera">Coursera, "10 Popular Cybersecurity Certifications [2022 Updated]," [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications. [Accessed 30 Apr 2022].</ref><br />
<ref name="NICCS">NICCS, "Cybersecurity Certifications," [Online]. Available: hhttps://niccs.cisa.gov/about-niccs/cybersecurity-certifications. [Accessed 30 Apr 2022].</ref> . One possible<br />
approach is to start with basic certificates from the different branches<br />
of service and move to more specific and demanding focused<br />
certification. Also, some jobs require certain clearances, either from<br />
industry, or from the government. One small selection of different<br />
possible certificates is brought out in following paragraphs.<br />
<br />
Security+ is a CompTIA certification that is considered a basic cert<br />
among cybersecurity professionals. It covers the topics of risk<br />
management and threat assessment.<br />
Network+ is also offered by CompTIA this certification (like the name<br />
implies) focuses on networking infrastructure and operations. It is<br />
considered a foundational certification.<br />
The Certified Information Systems Security Professional (CISSP) is a<br />
more advanced certification designed for cybersecurity professionals<br />
with at least five years of work experience. The certification covers<br />
topics such as architecture, engineering, and management.</p><br />
The Certified Ethical Hacker (CEH) certification is also considered a<br />
more advanced cert because it generally requires that applicants have<br />
multiple years of work experience. The goal of an ethical hacker<br />
certification is to be able to understand how cyber attacks unfold in<br />
order to improve threat assessment and mitigation skills.<ref name="cyberguide">Cybersecurity Guide, "How to become a cybersecurity specialist", [Online]. Available: https://cybersecurityguide.org/careers/security-specialist/. [Accessed 27 April 2022].</ref><br />
This is definitely not all, when one looks for more information, following link could be searched, to get more in depth knowledge about<br />
different possibilities.<br />
<br />
Hereby, with the help of this matrix a possible taxonomy of different 436 listed certificates in branches are<br />
presented.<ref name="Pauljeremy">"Cybersecurity Roadmap," [Online]. Available: https://pauljerimy.com/2020/10/12/scr-oct-2020-update/. [Accessed 30 Apr 2022].</ref><br />
<br />
[[File:analystimage5.png|1000px|thumb|Certificate matrix <ref>"Certification roadmap". Available at https://pauljerimy.com/security-certification-roadmap</ref>]]<br />
<br />
=== Communication and Network Security===<br />
Communication and network security covers the ability to secure<br />
communication channels and networks. Topics include secure and converges<br />
protocols, wireless networks, cellular networks, hardware operations<br />
(warranty and redundant power), and third-party connectivity. IP<br />
networking are also included in this domain.<br />
===Identity and Access Management===<br />
The identity and access management domain covers the attacks that<br />
target the human gateway to gain access to data. Other topics include<br />
ways to identify users with rights to access the information and<br />
servers. Identity and access management covers the topics of<br />
applications, Single sign-on authentication, privilege escalation,<br />
Kerberos, rule-based or risk-based access control, proofing and<br />
establishment of identity.<br />
===Security Architecture and Engineering===<br />
The security architecture and engineering domain covers important<br />
topics concerning security engineering plans, designs and principles,<br />
Topics include assessing and mitigating information system<br />
vulnerabilities, fundamental concepts of security models and security<br />
architectures in critical areas like access control. Cloud systems,<br />
cryptography, system infiltrations (ransomware, fault-injection and<br />
more) and virtualized systems are also covered in this domain.<br />
===Asset Security===<br />
The Asset Security domain deals with the issues related to the<br />
collection, storage, maintenance, retention and destruction of data. It<br />
also covers knowledge of different roles regarding data handling (owner,<br />
controller and custodian) as well as data protection methods and data<br />
states. Other topics include resource provision, asset classification<br />
and data lifecycle management.<br />
===Security and Risk Management===<br />
The security and risk management domain covers general on skills<br />
related to the implementation of user awareness programs as well as<br />
security procedures. Emphasis is also placed on risk management<br />
concerning the acquisition of new services, hardware and software<br />
(supply chain). Other skills include social engineering defense<br />
mechanisms.<br />
===Security Assessment and Testing===<br />
The security assessment and testing domain deals with all the<br />
techniques and tools used to find system vulnerabilities, weaknesses and<br />
potential areas of concern not addressed by security procedures and<br />
policies. Attack simulations, vulnerability assessment, compliance<br />
checks, and ethical disclosure also fall under this domain.<br />
===Software Security===<br />
The software development security domain deals with implementing<br />
software-based security protocols within environment for which the IT<br />
professional is responsible. Risk analysis, vulnerability identification<br />
and auditing of source codes are all covered in this subset. Additional<br />
topics include software-designed security, maturity models, development<br />
methodologies, open-source and third-party development security.<br />
===Security operations===<br />
The security operations domain covers topics ranging from<br />
investigations and digital forensic to detection and intrusion<br />
prevention tools, sandboxing and firewalls. Topics include user and<br />
entity behavior analytics, threat intelligence (threat hunting and<br />
threat feeds) log management, artifacts (mobile, computer and network),<br />
machine learning and AI-based tools, penetration testing, and<br />
exploitation development. These for sub-domains are lister here.</p><br />
<li>Forensics</li><br />
<li>Incident Handling</li><br />
<li>Penetration Testing</li><br />
<li>Exploitation</li><br />
<br />
==Education==<br />
[[File:Analystimage7.png|400px|thumb|Comparison degree vs Certificate <ref>"Comparison Table". Available at https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</ref>]]<br />
The entry level monitoring specialist is hired by Estonian<br />
Information System Authority even if there is no formal IT education,<br />
but readiness to learn and moderate knowledge of different operation<br />
systems is enough to start the career. <ref name="cv">cv.ee, "SEIRESPETSIALIST - tule Eesti küberruumi valvuriks!". Available: https://www.cv.ee/en/vacancy/792782/riigi-infosusteemi-amet/seirespetsialist-tule-eesti-kuberruumi-valvuriks [Accessed 28 April 2022].</ref><br />
Nevertheless, like most other high qualification careers jobs falling<br />
under the cybersecurity specialist category require some form of formal<br />
education. However, since cybersecurity specialist jobs can fall across<br />
a wide spectrum of job descriptions and responsibilities, it is possible<br />
to obtain a specialist job after completing many levels of different<br />
computer related education.<br />
<br />
If one is looking for a cybersecurity related education, for example<br />
in EU, 137 courses/programs could be found that relate to keyword IT or<br />
cybersecurity. <ref name="enisa">ENISA (European Union Agency for Cybersecurity), "Cybersecurity Education-Cybersecurity Higher Education Database". Available: https://www.enisa.europa.eu/topics/cybersecurity-education/education-map/education-courses [Accessed 26 April 2022].</ref><br />
<br />
Also, there is a great amount of discussion, if cyber security<br />
professional should have a degree or would be certification just enough.<br />
One interesting table is produces by Franklin University that compares<br />
benefits and/or drawbacks of each type of credential.<ref name="franklin">Franklin University, "Is Getting a Master's Degree in Cyber Security Worth It?". Available: https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it [Accessed 28 April 2022].</ref><br />
<br />
Certifications are generally good for people with little practical<br />
experience because they are known quantities in the industry and can<br />
help you get your foot in the door. They set a minimum knowledge bar.<br />
But some certifications are viewed more favorably than others.<br />
Certifications with renewal requirements are viewed better by hiring<br />
managers, but they also more costly in the long run because of the need<br />
for continuing education. Certifications are also good for showing<br />
in-depth expertise in a specialization within cybersecurity. Depending<br />
on your career goals, it may be advantageous to have a master’s<br />
degree—which shows your breadth of knowledge, critical thinking and<br />
leadership skills—and a certificate—which shows specific skill<br />
competency.<ref name="franklin"></ref><br />
As IT (Cyber) Security is still a relatively young discipline,<br />
universities and colleges are still figuring out which is the best<br />
approach for their degrees. Study programmes and curricula in Cyber<br />
Security are different. In general, here are the duration of Cyber<br />
Security degrees:<br />
<ref name="studyportal">Studyportals, "Why You Should Study a Cyber Security Degree in 2022". Available: https://www.mastersportal.com/articles/2722/why-you-should-study-a-cyber-security-degree-in-2022.html [Accessed 28 April 2022].</ref><br />
<ul><br />
<li><p>Bachelor’s degrees in Cyber Security take 3 or 4 years in most<br />
countries.</p></li><br />
<li><p>Master’s courses in Cyber Security take between 1-2 years to<br />
complete.</p></li><br />
<li><p>PhD programmes in Cyber Security last 3-5 years. Some only take 1<br />
or 2 years, but they are less common.</p><br />
</li><br />
</ul><br />
<br />
Generalization could me made that on bachelor level the general<br />
knowledge about the cyber issues are obtained. On master level the<br />
specialization courses are taken and the person can choose more specific<br />
topics to study. It is on master level where strengths of the cyber<br />
specialist can be developed further and up-do date knowledge obtained in<br />
specifics. PhD is serious science and involves teaching, lot of<br />
scientific work and writing for publications.<br />
<br />
==Salary==<br />
<p>Even if the salary can be very different, compared to the skills and<br />
experience, an generalization can be made. Cyber Security professionals<br />
in CSIRT, and in other entities earn quite well, from the start. First,<br />
some comparison from the United States. The average CSIRT analyst salary<br />
in the USA is $97,500 per year or $50 per hour. Entry level positions<br />
start at $48,875 per year while most experienced workers make up to<br />
$135,373 per year.<ref name="talent">talent.com, "Csirt Analyst average salary in USA 2022". Available: https://www.talent.com/salary?job=csirt+analyst [Accessed 28 April 2022].</ref><br />
<br />
There are multiple positions you can occupy in this field. They have<br />
in common great salaries and high demand for technical skills, attention<br />
to details, problem-solving mentality, and the ability to analyze risks.<br />
Here are the average annual salaries in the United States, according to<br />
Payscale: <ref name="studyportal"></ref><br />
<ul><br />
<li><p>Cryptographer – 100,000 USD</p></li><br />
<li><p>Information Security Officer – 91,000 USD</p></li><br />
<li><p>Security Assessor – 90,000 USD</p></li><br />
<li><p>Security Engineer – 88,000 USD</p></li><br />
<li><p>Penetration Tester – 81,000 USD</p></li><br />
<li><p>Forensics Expert – 71,000 USD</p></li><br />
<li><p>Security Administrator – 65,000 USD</p><br />
</ul><br />
When looking into salaries in Estonia, one can find that there is a<br />
discussion that private sector is taking a toll from the public sector,<br />
and that the salaries in important agencies, as Information System<br />
Authority loose their employees to the better paid positions in private<br />
sector.<ref name="digigeenius">DiGi Geenius, "Kui-palju-riigi-jaoks-olulised-it-tootajad-tegelikult-palka-saavad". Available: https://digi.geenius.ee/rubriik/uudis/kui-palju-riigi-jaoks-olulised-it-tootajad-tegelikult-palka-saavad/ [Accessed 28 April 2022].</ref><br />
<ref name="tehnika">Postimees, "Riigi-it-tootajate-palgamaarad-kasvasid". Available: https://tehnika.postimees.ee/6887428/riigi-it-tootajate-palgamaarad-kasvasid [Accessed 28 April 2022].</ref><br />
But there is also a different view that average private sector worker<br />
could be hired as a top specialist in public sector and then the payment<br />
is higher. Nevertheless, it seems that the average payment in cyber<br />
security sector is any way higher that in other parts of the<br />
e-services. <ref name="digigeenius2">DiGi Geenius, "5000-eurostest-palkadest-it-tootajad-saavadki-palju-palka". Available: https://digi.geenius.ee/rubriik/uudis/5000-eurostest-palkadest-it-tootajad-saavadki-palju-palka [Accessed 28 April 2022].</ref><br />
<br />
==SOC==<br />
<p>A SOC is a facility where an organization’s network, applications,<br />
and endpoints are monitored and defended. The term was adapted from<br />
network operations centers (NOCs), where large telecommunication or<br />
corporate networks are monitored. When network security became more of a<br />
concern, security teams were formed within the NOCs, and eventually spun<br />
off into larger organizations of their own as the responsibilities of<br />
security teams grew increasingly complex and specialized. The security<br />
staff working in a security operations center are often called the SOC<br />
team.<ref name="exabeam">Exabeam, "CSIRT". Available: https://www.exabeam.com/incident-response/csirt/ [Accessed 28 APr 2022].</ref><br />
<br />
<p>Functions of the SOC team include, but are not limited to:<ref name="trellix">Trellix, "What Is a Security Operations Center (SOC)?". Available: https://www.trellix.com/en-us/security-awareness/operations/what-is-soc.html [Accessed 30 APr 2022].</ref></p><br />
<ol type="1"><br />
<li>Taking inventory of resources, to get a better understanding of the<br />
structure they are protecting.</li><br />
<li>Maintanence of the system, by constantly making updates and adding<br />
safeguards.</li><br />
<li>Monitoring the network for abnormalities with special tools.</li><br />
<li>Threat analysis of new attacks and vulnerabilities.</li><br />
<li>Responding to attacks, by acting as “first responders”. The SOC team<br />
will shut down and/or isolate endpoints, deleting files and lowering the<br />
impact as fast as possible.</li><br />
<li>Recovery of system stability and lost data. This may be done using<br />
backups, restarting endpoints or reconfiguring systems.</li><br />
<li>Logging all actions on the system, to be later used for analysis or<br />
forensics after an attack.</li><br />
<li>Investigating the root cause of an attack.</li><br />
<li>Auditing their own actions, to be in line with regulations of the<br />
organization, industry or governing body.</li><br />
</ol><br />
<br />
==CSIRT==<br />
<p>A CSIRT is a group that responds to security incidents when they<br />
occur. Key responsibilities of a CSIRT include:<br />
<ref name="exabeam"></ref><br />
===Creating and maintaining an incident response plan (IRP)===<br />
An incident response plan (IRP) is a set of written instructions for<br />
detecting, responding to and limiting the effects of an information<br />
security event. Incident response plans provide instructions for<br />
responding to many potential scenarios, including data breaches, denial<br />
of service/distributed denial of service attacks, firewall breaches,<br />
virus or malware outbreaks or insider threats. Without an incident<br />
response plan in place, organizations may either not detect the attack<br />
in the first place, or not follow proper protocol to contain the threat<br />
and recover from it when a breach is detected.<br />
<ref name="stratacore">Stratacore, "Incident Response Plan (IRP)". https://www.stratacore.com/incidentresponseplan [Accessed 28 April 2022].</ref><br />
<br />
===Investigating and analyzing incidents===<br />
CSIRTs are also involved in improvement activities. After major<br />
computer security incidents occur, or when incidents are not handled in<br />
a timely or effective manner, a CSIRT will generally perform a<br />
postmortem of the incident and its response. This postmortem will<br />
identify the strengths and weakness of the response effort. Such reviews<br />
can identify weaknesses and holes in systems, infrastructure defenses,<br />
or policies that allowed the incident to take place. It can also<br />
identify problems with communication channels, interfaces, and<br />
procedures that inhibited the efficient resolution of the reported<br />
problem.<br />
<ref name="cisa">CISA (Cybersecurity & Infrastructure Security Agency, "Defining Computer Security Incident Response Teams". https://www.cisa.gov/uscert/bsi/articles/best-practices/incident-management/defining-computer-security-incident-response-teams [Accessed 28 April 2022].</ref><br />
<br />
===Managing internal communications and updates during or immediately after incidents occur===<br />
===Communicating with employees, shareholders, customers, and the press about incidents as needed===<br />
There are various services within the CSIRT Services Framework that<br />
address communications, as they relate to security operations and<br />
incident response services. Some of these include Information Security<br />
Incident Coordination, Crisis Management Support, Vulnerability<br />
Disclosure, Situational Awareness Communication, and Awareness Building,<br />
to name a few. Sharing information and communicating with the general<br />
public and/or your constituency is appropriate in many different<br />
scenarios. These can range from proactive communications to reactive<br />
communications. Each scenario may be unique, and careful consideration<br />
should be given to when to release information to the public and what<br />
information should be released.<br />
<ref name="CMUni">Carniege Mellon University, Brittany Manley, David McIntire "A Guide to Effective Incident Management Communications". https://resources.sei.cmu.edu/asset_files/Handbook/2021_002_001_651819.pdf [Accessed 28 April 2022].</ref><br />
<br />
===Remediating incidents===<br />
Threat remediation is a strong and capable tool for fighting the<br />
cyber security compromises. As the word ‘remedy’ suggests, remediation<br />
process involves the treatment of a security breach. With the<br />
remediation practices, your cyber security team is able to eliminate<br />
suspicious activities and malicious attacks in the form of malware,<br />
ransomware, phishing and such. Even if you ‘kill’ the suspicious<br />
activity, the attackers can remain in your systems. If you want to<br />
contaminate and end the problem for good, your remediation processes<br />
must involve the detection of the cause. <ref name="logsign">Logsign, "What-is-remediation-in-cyber-security". Available: https://www.logsign.com/blog/what-is-remediation-in-cyber-security/. [Accessed 28 Apr 2022].</ref><br />
<br />
===Recommending technology, policy, governance, and training changes after security incidents===<br />
After all these actions, the SCIRT must contribute to the development<br />
of better policies, practices and has to recommend improvements. They<br />
are not working in the vacuum and their work has to create new and<br />
better standards for cyber security. <ref name="exabeam">Exabeam, "CSIRT". Available: https://www.exabeam.com/incident-response/csirt/ [Accessed 28 APr 2022].</ref><br />
<br />
==CERT==<br />
The term “computer emergency response team” was coined in 1988. In<br />
response to the Morris worm attack that impacted thousands of servers on<br />
the Internet, DARPA funded the formation of the Computer Emergency<br />
Response Team Coordination Center (CERT-CC) at Carnegie Mellon<br />
University. The goal of CERT-CC was to help protect the internet by<br />
collecting and disseminating information on critical security<br />
vulnerabilities. Several other countries formed similar centers using<br />
the same acronym (despite threats of legal action by Carnegie Mellon for<br />
trademark infringement). Now the term CERT refers to any emergency<br />
response team that deals with cyber threats. Many people use CERT-CC<br />
interchangeably with CSIRT, though the charter of a CERT is information<br />
sharing in order to help other response teams respond to threats against<br />
their own infrastructure. <ref name="exabeam"></ref><br />
<br />
In general, the designation of CERT is helpful in applying real-world<br />
solutions to various cybersecurity problems. They may be government<br />
contractors or employees of a major corporation. For example, the U.S.<br />
Computer Emergency Readiness Team (US-CERT) operates under the U.S.<br />
Department of Homeland Security.<br />
<ref name="techopedia">Techopedia, "Computer Emergency Response Team (CERT)". Available: https://www.techopedia.com/definition/31003/computer-emergency-response-team-cert. [Accessed 25 April 2022].</ref><br />
<br />
In Estonia CERT is designated as CERT-EE. It was established in 2006,<br />
as an organization responsible for the management of security incidents<br />
in .ee computer networks. It is also a national contact point for<br />
international co-operation in the field of IT security. <ref name="ria">Information System Autority, "CERT-EE". Available: hhttps://www.ria.ee/en/cyber-security/cert-ee.html [Accessed 25 April 2022].</ref><br />
<br />
==Difference between SOC/CSIRT/CERT==<br />
[[File:analystimage3.png|300px|thumb|SOC/CSIRT/CERT <ref name="exabeam></ref>]]<br />
How CSIRTs differ from CERTs and SOCs. There are overlapping<br />
responsibilities between a community emergency response team (CERT),<br />
computer security incident response team (CSIRT), and security<br />
operations center (SOC). To add to this confusion, frequently, the terms<br />
CERT and CSIRT are used interchangeably, despite the important<br />
differences. <ref name="exabeam"></ref><br />
<br />
==Understand the primary roles and characteristics of a CERT, CSIRT, and SOC.==<br />
[[File:analystimage4.png|600px|thumb|Primary Roles of CERT, CSIRT, and SOC<ref name="exabeam></ref>]]<br />
<p>So, using strict definitions, a CERT collects and disseminates<br />
security information, typically for the benefit of a country or an<br />
industry. A CSIRT is a cross-functional team that responds to incidents<br />
on behalf of a country or an organization. A SOC is where a country or<br />
organization monitors and defends its network, servers, applications,<br />
and endpoints. <ref name="exabeam"></ref><br />
<br />
==Future==<br />
<p>And the Cyber security problem is only getting bigger. According to a<br />
report published by Accenture, the number of cyber security breaches<br />
increased by 11 percent from 2017 to 2018. The cost of such breaches is<br />
astronomical–about $600 billion worldwide, according to the Economic<br />
Impact of Cybercrime report.<br />
<ref name="ecpi">ECPI, "What-is-digital-forensics-in-cybersecurity". Available: https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me [Accessed 27 April 2022].</ref><br />
<br />
Job projections for cybersecurity are staggering. The Bureau of Labor<br />
Statistics in US predicts that careers in the cybersecurity field will<br />
grow by 32% by 2028. That makes cybersecurity one of the top 10<br />
fastest-growing jobs in the country. In the United States alone, jobs<br />
for Information Security Analysts are expected to grow by 15% by<br />
2024.<ref name="franklin"></ref><br />
<br />
Most likely this trend is also similar in other countries.</p><br />
<br />
When checking Estonian job portals, there is a constant need for<br />
people for cyber security related positions. Also, linkedin search gives<br />
approximately 30 vacancies immediately. There are banks, logistics<br />
companies, e-shops, and software producers. <ref name="linkedin">LinkedIn, "Cyber Security Jobs". Available: ttps://ee.linkedin.com/jobs/cyber-security-jobs?countryRedirected=1&amp;position=1&amp;pageNum=0 [Accessed 28 April 2022].</ref><br />
<br />
Trends that affect companies create need for constant cyber security<br />
services. Increasing number of home/remote offices require secure<br />
corporate networks and security of remote devices. One example is from<br />
this year, when sloppy remote desktop set-up paralyzed systems of 17<br />
companies.<br />
<ref name="aripaev">Äripäev, "RIA: lohakas kaugtöölaua seadistus halvas märtsis 17 ettevõtte IT-süsteemid"Available: ttps://www.aripaev.ee/uudised/2022/04/20/ria-lohakas-kaugtoolaua-seadistus-halvas-martsis-vahemalt-17-juhul-ettevotete-it-susteemid [Accessed 28 April 2022].</ref><br />
<br />
Also, no service can exists without robust infrastructure - servers,<br />
databases, applications. As all previously mentioned devices and<br />
services are at constant scanning and surveillance. So, the breach<br />
detection and immediate action demands 24/7 services. Even if lot of<br />
things could be automated, there is a need for human specialists (at<br />
least, at the moment). Third growing field is also a forensic<br />
investigation, as every attack must be investigated in order to be ready<br />
to repel next attacks. So data recovery and evidence collection is<br />
another important field of work that need skilled and professional<br />
workers.<br />
Even, if the specifics of the entity, be it CSIRT, CERT or SOC, are<br />
different, the fundamentals of the work are the same. Professional<br />
knowledge of the networks, operational systems, hardware, scripting, and<br />
several other wider IT related knowledge is needed. As there is no<br />
single way to reach to it, every single person can find one’s strongest<br />
sides and develop them with knowledge of weaker side, in order to know,<br />
when to as for help.</div>Mavaldhttps://wiki.itcollege.ee/index.php?title=Hiring_a_Cyber_Security_Incident_Analyst&diff=142282Hiring a Cyber Security Incident Analyst2022-05-01T16:21:01Z<p>Mavald: /* Future */</p>
<hr />
<div>==A Cyber Security Incident Analyst==<br />
<br />
[[File:image1.png|600px|thumb|Job advertisement <ref>"Job Advertisement". Available at https://www.projectpeople.com/jobs/</ref>]]<br />
===Cyber security incident analyst in SOC/CSIRT/CERT===<br />
This article delves into the job title of Cyber Security Incident<br />
Analyst and provides an overview of the acronyms SOC/CSIRT/CERT. A brief<br />
history of the job is discussed here, as well as a possible career path,<br />
education, experience, and other characteristics required for work in<br />
computer security-related organizations. The article also provides a<br />
brief history of SOC/CSIRT/CERT, as well as a comparison of their<br />
differences and similarities.<br />
===Cyber Security Incident Analyst Skill Set===<br />
What skill set is expected from the Cyber Security Incident Analyst? Below written lines are taken from the same job advertisement depicted<br />
on the left side of this article:<br />
As a Security Incident Analyst your responsibilities will include:<br />
<ul><br />
<li>Continuous monitoring of security tooling</li><br />
<li>Performing regular and ad-hoc vulnerability assessments</li><br />
<li>Carrying out ‘spot checks’</li><br />
<li>Reporting vulnerabilities to the PVG via the alerts system</li><br />
<li>Maintaining and documenting logging systems</li><br />
<li>Developing centralized logging, reporting and intelligence<br />
platforms</li><br />
<li>‘Light touch’ penetration testing with open source tooling<br />
(Metasploit)</li><br />
</ul><br />
Knowledge &amp; Experience required:<br />
<ul><br />
<li>SOC, CSIRT or CERT operational environment experience</li><br />
<li>Windows / Linux experience</li><br />
<li>TCP /IP networking protocol knowledge</li><br />
<li>Experience reviewing and analyzing Security Events from various<br />
monitoring and logging sources</li><br />
<li>Experience in website and web application security assessment or<br />
penetration testing</li><br />
<li>Experience of using Metasploit</li><br />
<li>Scripting knowledge using BASH, Python, Perl, Ruby</li><br />
<li>Skills in Host and Network Forensics</li><br />
</ul><br />
As one can see the description of the duties is wide and also the<br />
knowledge and experience that is required is noteworthy. So, where to<br />
start to find out the way to get this kind of knowledge and<br />
expertize.<br />
===Possible career path===<br />
Next part of the paper is aiming to depict a possible ways, how to<br />
develop oneself, and move along the career pathway in cybersecurity<br />
field. Topics of development, education, experience and certification<br />
are covered.<br />
[[File:analystimage2.png|1000px|thumb|Career path <ref>"Possible Career Path". Available at https://www.cyberseek.org/pathway.html</ref>]]<br />
<br />
===Junior/Senior===<br />
Start with an entry-level job in IT. Hands-on experience is often the<br />
most effective way to prepare for certification exams. Start<br />
accumulating work experience with an entry-level role as a cybersecurity<br />
analyst. Many cybersecurity professionals start off in more general IT<br />
roles. The skills, practices, and technologies you’ll use as a<br />
cybersecurity professional will continue to evolve along with computer<br />
and network technology. The desire to learn, ability to problem solve,<br />
and attention to detail will serve you well in this field. Other, more<br />
technical skills and technologies to learn include:<ref name="certification">Popular Cyber Security Certificates [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications [Accessed 25 April 2022].</ref><br />
<br />
====SIEM tools (security information and event management)====<br />
Security Information and Event Management (SIEM) is a set of tools<br />
and services offering a holistic view of an organization’s information<br />
security. SIEM works by combining two technologies:<br />
<li>Security information management (SIM), which collects data from log<br />
files for analysis and reports on security threats and events, and</li><br />
<li>security event management (SEM), which conducts real-time system<br />
monitoring, notifies network admins about important issues and<br />
establishes correlations between security events. There are a number of<br />
security information and event management solutions on the market.<br />
ArcSight ESM, IBM QRadar and Splunk are among the most popular. <ref name="SIEM">Application security, SIEM [Online]. Available: https://www.imperva.com/learn/application-security/siem/. [Accessed 27 4 2022].</ref></li><br />
<br />
====Firewalls, Intrusion Detection Systems (IDS), and Intrusion Prevention Systems(IPS)====<br />
Firewalls can be two types, hardware and software firewalls. Software<br />
firewall is a firewall that is installed on a computer or server, and<br />
tasked with network security. It works with a wide variety of other<br />
technology security solutions to provide more robust and cohesive<br />
security for enterprises of all sizes. When a software firewall is<br />
installed on a server, it opens up like an umbrella of protection over<br />
all other computers connected to the network. It is able to monitor both<br />
incoming and outgoing traffic for potential risk or suspicious user<br />
behavior, and also makes setting security policies much easier, faster<br />
and more flexible. Hardware firewall is positioned between the network<br />
and devices, allowing traffic to funnel through the firewall for a close<br />
inspection and analysis. A hardware firewall, a term often<br />
interchangeable with network or next-generation firewall, protects the<br />
network gateways for an enterprise. Hardware firewall is physical<br />
hardware, installed between network elements and connected devices, and<br />
is tasked with filtering traffic for cyber threat to the network or<br />
devices. Filtering out unauthorized or suspicious users based on traffic<br />
analysis is one of the biggest benefits of hardware firewall. <ref name="sangfor">Sangfor, "What is Software Firewall? Difference between Hardware Firewall and Software Firewall, [Online]. Available: https://www.sangfor.com/blog/cybersecurity/what-is-software-firewall-difference-between-hardware-firewall-and-software-firewall [Accessed 26 4 2022].</ref><br />
<br />
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems<br />
(IPS) are both parts of the network infrastructure. IDS/IPS compare<br />
network packets to a cyberthreat database containing known signatures of<br />
cyberattacks — and flag any matching packets. IDS doesn’t alter the<br />
network packets in any way, whereas IPS prevents the packet from<br />
delivery based on the contents of the packet, much like how a firewall<br />
prevents traffic by IP address. <ref name="Varonis">Varonis, "What is Software Firewall? IDS vs. IPS: What is the Difference?, [Online]. Available: https://www.varonis.com/blog/ids-vs-ips [Accessed 26 4 2022].</ref><br />
<br />
====Digital forensics====<br />
Digital forensics is a branch of forensic science that focuses on<br />
identifying, acquiring, processing, analyzing, and reporting on data<br />
stored electronically. Electronic evidence is a component of almost all<br />
criminal activities and digital forensics support is crucial for law<br />
enforcement investigations. Electronic evidence can be collected from a<br />
wide array of sources, such as computers, smartphones, remote storage,<br />
unmanned aerial systems, shipborne equipment, and more.<ref name="interpol">Interpol, "Digital forensics". Available: https://www.interpol.int/How-we-work/Innovation/Digital-forensics. [Accessed 28 4 2022].</ref> <br />
Investigative process of digital forensics can be divided into several stages. There are four major stages: preservation, collection,<br />
examination, and analysis. All these four stages need a deep understanding of computers, technology across a broad spectrum, and cybersecurity principles and<br />
practices, a working knowledge of computers, networks, and coding, in-depth investigative abilities, critical-thinking skills and analytical talent the ability to effectively communicate and work with a<br />
wide range of people. <ref name="ecpi">"Digital forensics". Available: https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me. [Accessed 26 4 2022].</ref><br />
<br />
====Mobile device management====<br />
Mobile device management (MDM) is software that allows IT<br />
administrators to control, secure and enforce policies on smartphones,<br />
tablets and other endpoints. Mobile device management software emerged<br />
in the early 2000s as a way to control and secure the personal digital<br />
assistants and smartphones that business workers began to use. The<br />
consumer smartphone boom that started with the launch of the Apple<br />
iPhone in 2007 led to the bring your own device (BYOD) trend, which<br />
fueled further interest in MDM.<ref name="techtarget">Techtarget, "Mobile Device Management". Available: https://www.techtarget.com/searchmobilecomputing/definition/mobile-device-management [Accessed 27 4 2022].</ref><br />
<br />
====Data management====<br />
Sometimes the data management is neglected, but this part has a<br />
crucial role when learning for good cyber security practices. Majority<br />
of cyber security programs include a special courses on data management.<br />
Data management is a method of organizing and maintaining data processes<br />
that are required in almost every business operations. The benefits of<br />
data management can be found accounting, statistics, logistics planning<br />
and other disciplines including corporate computing.<ref name="GlobalUni">Global Universities, "MSc Data Management and Cyber Security". Available: https://globaluniversities.in/msc-data-management-cyber-security. [Accessed 26 Apr 2022].</ref><br />
Data governance (and management) play a fundamental role in<br />
protecting an organization’s data. Ensuring that the right people have<br />
the right access and that appropriate security controls are in place to<br />
protect each system or service, based on the criticality or sensitivity<br />
of the data sets these contain. <ref name="CyberMagazine">Cyber Security Magazine, "The Role of Data Governance in Cybersecurity". Available: https://cybersecurity-magazine.com/the-role-of-data-governance-in-cybersecurity/?utm_source=rss&amp;utm_medium=rss&amp;utm_campaign=the-role-of-data-governance-in-cybersecurity. [Accessed 26 Apr 2022].</ref><br />
<br />
====Application security development====<br />
Application security describes security measures at the application<br />
level that aim to prevent data or code within the app from being stolen<br />
or hijacked. It encompasses the security considerations that happen<br />
during application development and design, but it also involves systems<br />
and approaches to protect apps after they get deployed. Application<br />
security may include hardware, software, and procedures that identify or<br />
minimize security vulnerabilities.<ref name="vmware">VmWare, "What is application security?". Available: https://www.vmware.com/topics/glossary/content/application-security.html [Accessed 28 April 2022].</ref><br />
Application security development is important to ensure that your<br />
application is free from coding errors and bugs. And controls the risk<br />
and helps safeguard against security vulnerabilities. Application<br />
security development is the process of making applications more secure<br />
by finding and fixing security vulnerabilities. This is often done by<br />
enforcing software security best practices and using application<br />
security testing tools. <br />
<ref name="perforce">Perforce, "Application Security Development Best Practices". Available: https://www.perforce.com/blog/kw/application-security-development-best-practices. [Accessed 28 April 2022].</ref><br />
<br />
====Audit and compliance knowledge====<br />
A cyber security audit is designed to be a comprehensive review and<br />
analysis of your business’s IT infrastructure. It identifies threats and<br />
vulnerabilities, exposing weaknesses and high-risk practices.<br />
Regulations such as the EU GDPR (General Data Protection Regulation) can<br />
impose hefty penalties in the event of a breach that results in<br />
exploited data. A cyber security audit will help mitigate the<br />
consequences of a breach and demonstrate that your organization has<br />
taken the necessary steps to protect client and company data. <ref name="cyforsecure">Cyfor Secure, "What is a Cyber Security Audit and how can it help your organisation?". Available: https://cyforsecure.co.uk/services/cyber-assessment/cyber-security-audit/. [Accessed 28 April 2022].</ref><br />
<br />
Cybersecurity compliance is the organizational risk management method<br />
aligned with pre-defined security measures &amp; controls on how data<br />
confidentiality is ensured by its administrative procedures.<ref name="nordlayer">NordLayer, "Cybersecurity compliance: Everything you need to know". Available: https://nordlayer.com/blog/cybersecurity-compliance-everything-you-need-to-know/. [Accessed 28 April 2022].</ref><br />
All needed skills are developed through courses and certification.<br />
<br />
===Entry-Level Incident Response Positions===<br />
It is not always possible to advance to the position of incident<br />
responder in a straight line. Many professionals advance from entry- to<br />
mid-level positions before becoming a real incident responder or a<br />
member of a computer emergency response team (CERT).<br /><br />
These are some examples: <ref name="Infosec">Infosec, "Incident Responder Career Roadmap: From Entry Level to Executive". Available: https://resources.infosecinstitute.com/topic/incident-responder-career-roadmap-entry-level-executive/ [Accessed 28 April 2022].</ref></p><br />
<ul><br />
<li><h5 id="network-administrator">Network administrator</h5><br />
<p>This position’s experience will help potential incident responders<br />
develop networking skills. Attention to detail, as well as the ability<br />
to sift through system configurations, site layouts, and general network<br />
and communication setups, are essential in this field.</p></li><br />
<li><h5 id="system-administrator">System administrator</h5><br />
<p>Another crucial beginning point for an incident responder is to learn<br />
how to manage resources inside your organization as well as user<br />
behavior. Understanding the potential damage that users, inadequate<br />
security setups, and ineffective IT policies and procedures can cause on<br />
your network can provide prospective candidates with insight into the<br />
human component of an incident.</p></li><br />
<li><h5 id="security-administrator">Security administrator</h5><br />
<p>In such a position, basic hacking skills, penetration testing, and<br />
intrusion detection are all learned, which are crucial incident<br />
responder skills when trying to replicate a breach or attack.<br />
Understanding the paths a cybercriminal will take when attempting to<br />
damage or obtain access to a system can greatly simplify the work of<br />
reverse engineering the incident.</p></li><br />
</ul><br />
<br />
=== Mid-Level Incident Response Positions ===<br />
<ul><br />
<li><h5<br />
id="computer-security-incident-response-team-csirt-engineer">Computer<br />
security incident response team (CSIRT) engineer</h5></li><br />
<li><h5 id="cyber-incident-responder">Cyber incident responder</h5></li><br />
<li><h5 id="incident-response-engineer">Incident response<br />
engineer</h5></li><br />
</ul><br />
<p>While each of these positions is different, they generally require<br />
very similar skills and characteristics in a candidate. At this level,<br />
personal characteristics such as problem solving, time management, and<br />
even presentation skills become more crucial as one’s career evolves<br />
into a management-facing role.</p><br />
<p>Technical skills include the ability to identify and minimize threats<br />
while maintaining communication with management and the rest of your<br />
team. Data analysis and evidence gathering become increasingly crucial,<br />
and the circumstances in which your services are deployed get more<br />
serious.</p><br />
Problem-solving skills are crucial at this level of incident<br />
response, and as the stakes rise, so does the pressure in each<br />
situation. At this level, programming abilities are essential since<br />
incident responders may be needed to reverse engineer malicious code or<br />
even create patches for vulnerable network applications or services. <ref name="coursera">Coursera, "10 Popular Cybersecurity Certifications [2022 Updated]". Available: https://www.coursera.org/articles/popular-cybersecurity-certifications [Accessed 28 April 2022].</ref><br />
<br />
===Senior-Level Incident Response Positions===<br />
<ul><br />
<li><h5 id="intrusion-detection-specialist">Intrusion detection<br />
specialist:</h5></li><br />
</ul><br />
<p>A CISSP certification might help a potential candidate in preparing<br />
for the profession. The role of an intrusion detection specialist is to<br />
find and stop any unwanted communications.</p><br />
<ul><br />
<li><h5 id="incident-manager">Incident manager:</h5></li><br />
</ul><br />
Expected to plan, oversee, manage, and supervise all incident<br />
response team actions. Is in charge of reporting all current events to<br />
senior management and stakeholders, as well as acting as the technical<br />
lead on active incidents for incident responders. Prepares threat and<br />
impact assessments and reports them known to management.<ref name="coursera"></ref><br />
<br />
==Certificates== <br />
There is a vast number of different certificates and the road map to<br />
being a certified professional could be very different<ref name="Coursera">Coursera, "10 Popular Cybersecurity Certifications [2022 Updated]," [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications. [Accessed 30 Apr 2022].</ref><br />
<ref name="NICCS">NICCS, "Cybersecurity Certifications," [Online]. Available: hhttps://niccs.cisa.gov/about-niccs/cybersecurity-certifications. [Accessed 30 Apr 2022].</ref> . One possible<br />
approach is to start with basic certificates from the different branches<br />
of service and move to more specific and demanding focused<br />
certification. Also, some jobs require certain clearances, either from<br />
industry, or from the government. One small selection of different<br />
possible certificates is brought out in following paragraphs.<br />
<br />
Security+ is a CompTIA certification that is considered a basic cert<br />
among cybersecurity professionals. It covers the topics of risk<br />
management and threat assessment.<br />
Network+ is also offered by CompTIA this certification (like the name<br />
implies) focuses on networking infrastructure and operations. It is<br />
considered a foundational certification.<br />
The Certified Information Systems Security Professional (CISSP) is a<br />
more advanced certification designed for cybersecurity professionals<br />
with at least five years of work experience. The certification covers<br />
topics such as architecture, engineering, and management.</p><br />
The Certified Ethical Hacker (CEH) certification is also considered a<br />
more advanced cert because it generally requires that applicants have<br />
multiple years of work experience. The goal of an ethical hacker<br />
certification is to be able to understand how cyber attacks unfold in<br />
order to improve threat assessment and mitigation skills.<ref name="cyberguide">Cybersecurity Guide, "How to become a cybersecurity specialist", [Online]. Available: https://cybersecurityguide.org/careers/security-specialist/. [Accessed 27 April 2022].</ref><br />
This is definitely not all, when one looks for more information, following link could be searched, to get more in depth knowledge about<br />
different possibilities.<br />
<br />
Hereby, with the help of this matrix a possible taxonomy of different 436 listed certificates in branches are<br />
presented.<ref name="Pauljeremy">"Cybersecurity Roadmap," [Online]. Available: https://pauljerimy.com/2020/10/12/scr-oct-2020-update/. [Accessed 30 Apr 2022].</ref><br />
<br />
[[File:analystimage5.png|1000px|thumb|Certificate matrix <ref>"Certification roadmap". Available at https://pauljerimy.com/security-certification-roadmap</ref>]]<br />
<br />
=== Communication and Network Security===<br />
Communication and network security covers the ability to secure<br />
communication channels and networks. Topics include secure and converges<br />
protocols, wireless networks, cellular networks, hardware operations<br />
(warranty and redundant power), and third-party connectivity. IP<br />
networking are also included in this domain.<br />
===Identity and Access Management===<br />
The identity and access management domain covers the attacks that<br />
target the human gateway to gain access to data. Other topics include<br />
ways to identify users with rights to access the information and<br />
servers. Identity and access management covers the topics of<br />
applications, Single sign-on authentication, privilege escalation,<br />
Kerberos, rule-based or risk-based access control, proofing and<br />
establishment of identity.<br />
===Security Architecture and Engineering===<br />
The security architecture and engineering domain covers important<br />
topics concerning security engineering plans, designs and principles,<br />
Topics include assessing and mitigating information system<br />
vulnerabilities, fundamental concepts of security models and security<br />
architectures in critical areas like access control. Cloud systems,<br />
cryptography, system infiltrations (ransomware, fault-injection and<br />
more) and virtualized systems are also covered in this domain.<br />
===Asset Security===<br />
The Asset Security domain deals with the issues related to the<br />
collection, storage, maintenance, retention and destruction of data. It<br />
also covers knowledge of different roles regarding data handling (owner,<br />
controller and custodian) as well as data protection methods and data<br />
states. Other topics include resource provision, asset classification<br />
and data lifecycle management.<br />
===Security and Risk Management===<br />
The security and risk management domain covers general on skills<br />
related to the implementation of user awareness programs as well as<br />
security procedures. Emphasis is also placed on risk management<br />
concerning the acquisition of new services, hardware and software<br />
(supply chain). Other skills include social engineering defense<br />
mechanisms.<br />
===Security Assessment and Testing===<br />
The security assessment and testing domain deals with all the<br />
techniques and tools used to find system vulnerabilities, weaknesses and<br />
potential areas of concern not addressed by security procedures and<br />
policies. Attack simulations, vulnerability assessment, compliance<br />
checks, and ethical disclosure also fall under this domain.<br />
===Software Security===<br />
The software development security domain deals with implementing<br />
software-based security protocols within environment for which the IT<br />
professional is responsible. Risk analysis, vulnerability identification<br />
and auditing of source codes are all covered in this subset. Additional<br />
topics include software-designed security, maturity models, development<br />
methodologies, open-source and third-party development security.<br />
===Security operations===<br />
The security operations domain covers topics ranging from<br />
investigations and digital forensic to detection and intrusion<br />
prevention tools, sandboxing and firewalls. Topics include user and<br />
entity behavior analytics, threat intelligence (threat hunting and<br />
threat feeds) log management, artifacts (mobile, computer and network),<br />
machine learning and AI-based tools, penetration testing, and<br />
exploitation development. These for sub-domains are lister here.</p><br />
<li>Forensics</li><br />
<li>Incident Handling</li><br />
<li>Penetration Testing</li><br />
<li>Exploitation</li><br />
<br />
==Education==<br />
[[File:Analystimage7.png|400px|thumb|Comparison degree vs Certificate <ref>"Comparison Table". Available at https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</ref>]]<br />
The entry level monitoring specialist is hired by Estonian<br />
Information System Authority even if there is no formal IT education,<br />
but readiness to learn and moderate knowledge of different operation<br />
systems is enough to start the career. <ref name="cv">cv.ee, "SEIRESPETSIALIST - tule Eesti küberruumi valvuriks!". Available: https://www.cv.ee/en/vacancy/792782/riigi-infosusteemi-amet/seirespetsialist-tule-eesti-kuberruumi-valvuriks [Accessed 28 April 2022].</ref><br />
Nevertheless, like most other high qualification careers jobs falling<br />
under the cybersecurity specialist category require some form of formal<br />
education. However, since cybersecurity specialist jobs can fall across<br />
a wide spectrum of job descriptions and responsibilities, it is possible<br />
to obtain a specialist job after completing many levels of different<br />
computer related education.<br />
<br />
If one is looking for a cybersecurity related education, for example<br />
in EU, 137 courses/programs could be found that relate to keyword IT or<br />
cybersecurity. <ref name="enisa">ENISA (European Union Agency for Cybersecurity), "Cybersecurity Education-Cybersecurity Higher Education Database". Available: https://www.enisa.europa.eu/topics/cybersecurity-education/education-map/education-courses [Accessed 26 April 2022].</ref><br />
<br />
Also, there is a great amount of discussion, if cyber security<br />
professional should have a degree or would be certification just enough.<br />
One interesting table is produces by Franklin University that compares<br />
benefits and/or drawbacks of each type of credential.<ref name="franklin">Franklin University, "Is Getting a Master's Degree in Cyber Security Worth It?". Available: https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it [Accessed 28 April 2022].</ref><br />
<br />
Certifications are generally good for people with little practical<br />
experience because they are known quantities in the industry and can<br />
help you get your foot in the door. They set a minimum knowledge bar.<br />
But some certifications are viewed more favorably than others.<br />
Certifications with renewal requirements are viewed better by hiring<br />
managers, but they also more costly in the long run because of the need<br />
for continuing education. Certifications are also good for showing<br />
in-depth expertise in a specialization within cybersecurity. Depending<br />
on your career goals, it may be advantageous to have a master’s<br />
degree—which shows your breadth of knowledge, critical thinking and<br />
leadership skills—and a certificate—which shows specific skill<br />
competency.<ref name="franklin"></ref><br />
As IT (Cyber) Security is still a relatively young discipline,<br />
universities and colleges are still figuring out which is the best<br />
approach for their degrees. Study programmes and curricula in Cyber<br />
Security are different. In general, here are the duration of Cyber<br />
Security degrees:<br />
<ref name="studyportal">Studyportals, "Why You Should Study a Cyber Security Degree in 2022". Available: https://www.mastersportal.com/articles/2722/why-you-should-study-a-cyber-security-degree-in-2022.html [Accessed 28 April 2022].</ref><br />
<ul><br />
<li><p>Bachelor’s degrees in Cyber Security take 3 or 4 years in most<br />
countries.</p></li><br />
<li><p>Master’s courses in Cyber Security take between 1-2 years to<br />
complete.</p></li><br />
<li><p>PhD programmes in Cyber Security last 3-5 years. Some only take 1<br />
or 2 years, but they are less common.</p><br />
</li><br />
</ul><br />
<br />
Generalization could me made that on bachelor level the general<br />
knowledge about the cyber issues are obtained. On master level the<br />
specialization courses are taken and the person can choose more specific<br />
topics to study. It is on master level where strengths of the cyber<br />
specialist can be developed further and up-do date knowledge obtained in<br />
specifics. PhD is serious science and involves teaching, lot of<br />
scientific work and writing for publications.<br />
<br />
==Salary==<br />
<p>Even if the salary can be very different, compared to the skills and<br />
experience, an generalization can be made. Cyber Security professionals<br />
in CSIRT, and in other entities earn quite well, from the start. First,<br />
some comparison from the United States. The average CSIRT analyst salary<br />
in the USA is $97,500 per year or $50 per hour. Entry level positions<br />
start at $48,875 per year while most experienced workers make up to<br />
$135,373 per year.<ref name="talent">talent.com, "Csirt Analyst average salary in USA 2022". Available: https://www.talent.com/salary?job=csirt+analyst [Accessed 28 April 2022].</ref><br />
<br />
There are multiple positions you can occupy in this field. They have<br />
in common great salaries and high demand for technical skills, attention<br />
to details, problem-solving mentality, and the ability to analyze risks.<br />
Here are the average annual salaries in the United States, according to<br />
Payscale: <ref name="studyportal"></ref><br />
<ul><br />
<li><p>Cryptographer – 100,000 USD</p></li><br />
<li><p>Information Security Officer – 91,000 USD</p></li><br />
<li><p>Security Assessor – 90,000 USD</p></li><br />
<li><p>Security Engineer – 88,000 USD</p></li><br />
<li><p>Penetration Tester – 81,000 USD</p></li><br />
<li><p>Forensics Expert – 71,000 USD</p></li><br />
<li><p>Security Administrator – 65,000 USD</p><br />
</ul><br />
When looking into salaries in Estonia, one can find that there is a<br />
discussion that private sector is taking a toll from the public sector,<br />
and that the salaries in important agencies, as Information System<br />
Authority loose their employees to the better paid positions in private<br />
sector.<ref name="digigeenius">DiGi Geenius, "Kui-palju-riigi-jaoks-olulised-it-tootajad-tegelikult-palka-saavad". Available: https://digi.geenius.ee/rubriik/uudis/kui-palju-riigi-jaoks-olulised-it-tootajad-tegelikult-palka-saavad/ [Accessed 28 April 2022].</ref><br />
<ref name="tehnika">Postimees, "Riigi-it-tootajate-palgamaarad-kasvasid". Available: https://tehnika.postimees.ee/6887428/riigi-it-tootajate-palgamaarad-kasvasid [Accessed 28 April 2022].</ref><br />
But there is also a different view that average private sector worker<br />
could be hired as a top specialist in public sector and then the payment<br />
is higher. Nevertheless, it seems that the average payment in cyber<br />
security sector is any way higher that in other parts of the<br />
e-services. <ref name="digigeenius2">DiGi Geenius, "5000-eurostest-palkadest-it-tootajad-saavadki-palju-palka". Available: https://digi.geenius.ee/rubriik/uudis/5000-eurostest-palkadest-it-tootajad-saavadki-palju-palka [Accessed 28 April 2022].</ref><br />
<br />
==SOC==<br />
<p>A SOC is a facility where an organization’s network, applications,<br />
and endpoints are monitored and defended. The term was adapted from<br />
network operations centers (NOCs), where large telecommunication or<br />
corporate networks are monitored. When network security became more of a<br />
concern, security teams were formed within the NOCs, and eventually spun<br />
off into larger organizations of their own as the responsibilities of<br />
security teams grew increasingly complex and specialized. The security<br />
staff working in a security operations center are often called the SOC<br />
team.<ref name="exabeam">Exabeam, "CSIRT". Available: https://www.exabeam.com/incident-response/csirt/ [Accessed 28 APr 2022].</ref><br />
<br />
<p>Functions of the SOC team include, but are not limited to:<ref name="trellix">Trellix, "What Is a Security Operations Center (SOC)?". Available: https://www.trellix.com/en-us/security-awareness/operations/what-is-soc.html [Accessed 30 APr 2022].</ref></p><br />
<ol type="1"><br />
<li>Taking inventory of resources, to get a better understanding of the<br />
structure they are protecting.</li><br />
<li>Maintanence of the system, by constantly making updates and adding<br />
safeguards.</li><br />
<li>Monitoring the network for abnormalities with special tools.</li><br />
<li>Threat analysis of new attacks and vulnerabilities.</li><br />
<li>Responding to attacks, by acting as “first responders”. The SOC team<br />
will shut down and/or isolate endpoints, deleting files and lowering the<br />
impact as fast as possible.</li><br />
<li>Recovery of system stability and lost data. This may be done using<br />
backups, restarting endpoints or reconfiguring systems.</li><br />
<li>Logging all actions on the system, to be later used for analysis or<br />
forensics after an attack.</li><br />
<li>Investigating the root cause of an attack.</li><br />
<li>Auditing their own actions, to be in line with regulations of the<br />
organization, industry or governing body.</li><br />
</ol><br />
<br />
==CSIRT==<br />
<p>A CSIRT is a group that responds to security incidents when they<br />
occur. Key responsibilities of a CSIRT include:<br />
<ref name="exabeam"></ref><br />
===Creating and maintaining an incident response plan (IRP)===<br />
An incident response plan (IRP) is a set of written instructions for<br />
detecting, responding to and limiting the effects of an information<br />
security event. Incident response plans provide instructions for<br />
responding to many potential scenarios, including data breaches, denial<br />
of service/distributed denial of service attacks, firewall breaches,<br />
virus or malware outbreaks or insider threats. Without an incident<br />
response plan in place, organizations may either not detect the attack<br />
in the first place, or not follow proper protocol to contain the threat<br />
and recover from it when a breach is detected.<br />
<ref name="stratacore">Stratacore, "Incident Response Plan (IRP)". https://www.stratacore.com/incidentresponseplan [Accessed 28 April 2022].</ref><br />
<br />
===Investigating and analyzing incidents===<br />
CSIRTs are also involved in improvement activities. After major<br />
computer security incidents occur, or when incidents are not handled in<br />
a timely or effective manner, a CSIRT will generally perform a<br />
postmortem of the incident and its response. This postmortem will<br />
identify the strengths and weakness of the response effort. Such reviews<br />
can identify weaknesses and holes in systems, infrastructure defenses,<br />
or policies that allowed the incident to take place. It can also<br />
identify problems with communication channels, interfaces, and<br />
procedures that inhibited the efficient resolution of the reported<br />
problem.<br />
<ref name="cisa">CISA (Cybersecurity & Infrastructure Security Agency, "Defining Computer Security Incident Response Teams". https://www.cisa.gov/uscert/bsi/articles/best-practices/incident-management/defining-computer-security-incident-response-teams [Accessed 28 April 2022].</ref><br />
<br />
===Managing internal communications and updates during or immediately after incidents occur===<br />
===Communicating with employees, shareholders, customers, and the press about incidents as needed===<br />
There are various services within the CSIRT Services Framework that<br />
address communications, as they relate to security operations and<br />
incident response services. Some of these include Information Security<br />
Incident Coordination, Crisis Management Support, Vulnerability<br />
Disclosure, Situational Awareness Communication, and Awareness Building,<br />
to name a few. Sharing information and communicating with the general<br />
public and/or your constituency is appropriate in many different<br />
scenarios. These can range from proactive communications to reactive<br />
communications. Each scenario may be unique, and careful consideration<br />
should be given to when to release information to the public and what<br />
information should be released.<br />
<ref name="CMUni">Carniege Mellon University, Brittany Manley, David McIntire "A Guide to Effective Incident Management Communications". https://resources.sei.cmu.edu/asset_files/Handbook/2021_002_001_651819.pdf [Accessed 28 April 2022].</ref><br />
<br />
===Remediating incidents===<br />
Threat remediation is a strong and capable tool for fighting the<br />
cyber security compromises. As the word ‘remedy’ suggests, remediation<br />
process involves the treatment of a security breach. With the<br />
remediation practices, your cyber security team is able to eliminate<br />
suspicious activities and malicious attacks in the form of malware,<br />
ransomware, phishing and such. Even if you ‘kill’ the suspicious<br />
activity, the attackers can remain in your systems. If you want to<br />
contaminate and end the problem for good, your remediation processes<br />
must involve the detection of the cause. <ref name="logsign">Logsign, "What-is-remediation-in-cyber-security". Available: https://www.logsign.com/blog/what-is-remediation-in-cyber-security/. [Accessed 28 Apr 2022].</ref><br />
<br />
===Recommending technology, policy, governance, and training changes after security incidents===<br />
After all these actions, the SCIRT must contribute to the development<br />
of better policies, practices and has to recommend improvements. They<br />
are not working in the vacuum and their work has to create new and<br />
better standards for cyber security. <ref name="exabeam">Exabeam, "CSIRT". Available: https://www.exabeam.com/incident-response/csirt/ [Accessed 28 APr 2022].</ref><br />
<br />
==CERT==<br />
The term “computer emergency response team” was coined in 1988. In<br />
response to the Morris worm attack that impacted thousands of servers on<br />
the Internet, DARPA funded the formation of the Computer Emergency<br />
Response Team Coordination Center (CERT-CC) at Carnegie Mellon<br />
University. The goal of CERT-CC was to help protect the internet by<br />
collecting and disseminating information on critical security<br />
vulnerabilities. Several other countries formed similar centers using<br />
the same acronym (despite threats of legal action by Carnegie Mellon for<br />
trademark infringement). Now the term CERT refers to any emergency<br />
response team that deals with cyber threats. Many people use CERT-CC<br />
interchangeably with CSIRT, though the charter of a CERT is information<br />
sharing in order to help other response teams respond to threats against<br />
their own infrastructure. <ref name="exabeam"></ref><br />
<br />
In general, the designation of CERT is helpful in applying real-world<br />
solutions to various cybersecurity problems. They may be government<br />
contractors or employees of a major corporation. For example, the U.S.<br />
Computer Emergency Readiness Team (US-CERT) operates under the U.S.<br />
Department of Homeland Security.<br />
<ref name="techopedia">Techopedia, "Computer Emergency Response Team (CERT)". Available: https://www.techopedia.com/definition/31003/computer-emergency-response-team-cert. [Accessed 25 April 2022].</ref><br />
<br />
In Estonia CERT is designated as CERT-EE. It was established in 2006,<br />
as an organization responsible for the management of security incidents<br />
in .ee computer networks. It is also a national contact point for<br />
international co-operation in the field of IT security. <ref name="ria">Information System Autority, "CERT-EE". Available: hhttps://www.ria.ee/en/cyber-security/cert-ee.html [Accessed 25 April 2022].</ref><br />
<br />
==Difference between SOC/CSIRT/CERT==<br />
[[File:analystimage3.png|300px|thumb|SOC/CSIRT/CERT <ref name="exabeam></ref>]]<br />
How CSIRTs differ from CERTs and SOCs. There are overlapping<br />
responsibilities between a community emergency response team (CERT),<br />
computer security incident response team (CSIRT), and security<br />
operations center (SOC). To add to this confusion, frequently, the terms<br />
CERT and CSIRT are used interchangeably, despite the important<br />
differences. <ref name="exabeam"></ref><br />
<br />
==Understand the primary roles and characteristics of a CERT, CSIRT, and SOC.==<br />
[[File:analystimage4.png|600px|thumb|Primary Roles of CERT, CSIRT, and SOC<ref name="exabeam></ref>]]<br />
<p>So, using strict definitions, a CERT collects and disseminates<br />
security information, typically for the benefit of a country or an<br />
industry. A CSIRT is a cross-functional team that responds to incidents<br />
on behalf of a country or an organization. A SOC is where a country or<br />
organization monitors and defends its network, servers, applications,<br />
and endpoints. <ref name="exabeam"></ref><br />
<br />
==Future==<br />
<p>And the Cyber security problem is only getting bigger. According to a<br />
report published by Accenture, the number of cyber security breaches<br />
increased by 11 percent from 2017 to 2018. The cost of such breaches is<br />
astronomical–about $600 billion worldwide, according to the Economic<br />
Impact of Cybercrime report.<br />
<ref name="ecpi">ECPI, "What-is-digital-forensics-in-cybersecurity". Available: https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me [Accessed 27 April 2022].</ref><br />
<br />
Job projections for cybersecurity are staggering. The Bureau of Labor<br />
Statistics in US predicts that careers in the cybersecurity field will<br />
grow by 32% by 2028. That makes cybersecurity one of the top 10<br />
fastest-growing jobs in the country. In the United States alone, jobs<br />
for Information Security Analysts are expected to grow by 15% by<br />
2024.<ref name="franklin"></ref><br />
<br />
Most likely this trend is also similar in other countries.</p><br />
<br />
When checking Estonian job portals, there is a constant need for<br />
people for cyber security related positions. Also, linkedin search gives<br />
approximately 30 vacancies immediately. There are banks, logistics<br />
companies, e-shops, and software producers. <ref name="linkedin">LinkedIn, "Cyber Security Jobs". Available: ttps://ee.linkedin.com/jobs/cyber-security-jobs?countryRedirected=1&amp;position=1&amp;pageNum=0 [Accessed 28 April 2022].</ref><br />
<br />
Trends that affect companies create need for constant cyber security<br />
services. Increasing number of home/remote offices require secure<br />
corporate networks and security of remote devices. One example is from<br />
this year, when sloppy remote desktop set-up paralyzed systems of 17<br />
companies.<br />
<ref name="aripaev">Äripäev, "RIA: lohakas kaugtöölaua seadistus halvas märtsis 17 ettevõtte IT-süsteemid"Available: ttps://www.aripaev.ee/uudised/2022/04/20/ria-lohakas-kaugtoolaua-seadistus-halvas-martsis-vahemalt-17-juhul-ettevotete-it-susteemid [Accessed 28 April 2022].</ref><br />
<br />
Also, no service can exists without robust infrastructure - servers,<br />
databases, applications. As all previously mentioned devices and<br />
services are at constant scanning and surveillance. So, the breach<br />
detection and immediate action demands 24/7 services. Even if lot of<br />
things could be automated, there is a need for human specialists (at<br />
least, at the moment). Third growing field is also a forensic<br />
investigation, as every attack must be investigated in order to be ready<br />
to repel next attacks. So data recovery and evidence collection is<br />
another important field of work that need skilled and professional<br />
workers.<br />
Even, if the specifics of the entity, be it CSIRT, CERT or SOC, are<br />
different, the fundamentals of the work are the same. Professional<br />
knowledge of the networks, operational systems, hardware, scripting, and<br />
several other wider IT related knowledge is needed. As there is no<br />
single way to reach to it, every single person can find one’s strongest<br />
sides and develop them with knowledge of weaker side, in order to know,<br />
when to as for help.</div>Mavaldhttps://wiki.itcollege.ee/index.php?title=Hiring_a_Cyber_Security_Incident_Analyst&diff=142279Hiring a Cyber Security Incident Analyst2022-05-01T16:16:10Z<p>Mavald: /* Future */</p>
<hr />
<div>==A Cyber Security Incident Analyst==<br />
<br />
[[File:image1.png|600px|thumb|Job advertisement <ref>"Job Advertisement". Available at https://www.projectpeople.com/jobs/</ref>]]<br />
===Cyber security incident analyst in SOC/CSIRT/CERT===<br />
This article delves into the job title of Cyber Security Incident<br />
Analyst and provides an overview of the acronyms SOC/CSIRT/CERT. A brief<br />
history of the job is discussed here, as well as a possible career path,<br />
education, experience, and other characteristics required for work in<br />
computer security-related organizations. The article also provides a<br />
brief history of SOC/CSIRT/CERT, as well as a comparison of their<br />
differences and similarities.<br />
===Cyber Security Incident Analyst Skill Set===<br />
What skill set is expected from the Cyber Security Incident Analyst? Below written lines are taken from the same job advertisement depicted<br />
on the left side of this article:<br />
As a Security Incident Analyst your responsibilities will include:<br />
<ul><br />
<li>Continuous monitoring of security tooling</li><br />
<li>Performing regular and ad-hoc vulnerability assessments</li><br />
<li>Carrying out ‘spot checks’</li><br />
<li>Reporting vulnerabilities to the PVG via the alerts system</li><br />
<li>Maintaining and documenting logging systems</li><br />
<li>Developing centralized logging, reporting and intelligence<br />
platforms</li><br />
<li>‘Light touch’ penetration testing with open source tooling<br />
(Metasploit)</li><br />
</ul><br />
Knowledge &amp; Experience required:<br />
<ul><br />
<li>SOC, CSIRT or CERT operational environment experience</li><br />
<li>Windows / Linux experience</li><br />
<li>TCP /IP networking protocol knowledge</li><br />
<li>Experience reviewing and analyzing Security Events from various<br />
monitoring and logging sources</li><br />
<li>Experience in website and web application security assessment or<br />
penetration testing</li><br />
<li>Experience of using Metasploit</li><br />
<li>Scripting knowledge using BASH, Python, Perl, Ruby</li><br />
<li>Skills in Host and Network Forensics</li><br />
</ul><br />
As one can see the description of the duties is wide and also the<br />
knowledge and experience that is required is noteworthy. So, where to<br />
start to find out the way to get this kind of knowledge and<br />
expertize.<br />
===Possible career path===<br />
Next part of the paper is aiming to depict a possible ways, how to<br />
develop oneself, and move along the career pathway in cybersecurity<br />
field. Topics of development, education, experience and certification<br />
are covered.<br />
[[File:analystimage2.png|1000px|thumb|Career path <ref>"Possible Career Path". Available at https://www.cyberseek.org/pathway.html</ref>]]<br />
<br />
===Junior/Senior===<br />
Start with an entry-level job in IT. Hands-on experience is often the<br />
most effective way to prepare for certification exams. Start<br />
accumulating work experience with an entry-level role as a cybersecurity<br />
analyst. Many cybersecurity professionals start off in more general IT<br />
roles. The skills, practices, and technologies you’ll use as a<br />
cybersecurity professional will continue to evolve along with computer<br />
and network technology. The desire to learn, ability to problem solve,<br />
and attention to detail will serve you well in this field. Other, more<br />
technical skills and technologies to learn include:<ref name="certification">Popular Cyber Security Certificates [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications [Accessed 25 April 2022].</ref><br />
<br />
====SIEM tools (security information and event management)====<br />
Security Information and Event Management (SIEM) is a set of tools<br />
and services offering a holistic view of an organization’s information<br />
security. SIEM works by combining two technologies:<br />
<li>Security information management (SIM), which collects data from log<br />
files for analysis and reports on security threats and events, and</li><br />
<li>security event management (SEM), which conducts real-time system<br />
monitoring, notifies network admins about important issues and<br />
establishes correlations between security events. There are a number of<br />
security information and event management solutions on the market.<br />
ArcSight ESM, IBM QRadar and Splunk are among the most popular. <ref name="SIEM">Application security, SIEM [Online]. Available: https://www.imperva.com/learn/application-security/siem/. [Accessed 27 4 2022].</ref></li><br />
<br />
====Firewalls, Intrusion Detection Systems (IDS), and Intrusion Prevention Systems(IPS)====<br />
Firewalls can be two types, hardware and software firewalls. Software<br />
firewall is a firewall that is installed on a computer or server, and<br />
tasked with network security. It works with a wide variety of other<br />
technology security solutions to provide more robust and cohesive<br />
security for enterprises of all sizes. When a software firewall is<br />
installed on a server, it opens up like an umbrella of protection over<br />
all other computers connected to the network. It is able to monitor both<br />
incoming and outgoing traffic for potential risk or suspicious user<br />
behavior, and also makes setting security policies much easier, faster<br />
and more flexible. Hardware firewall is positioned between the network<br />
and devices, allowing traffic to funnel through the firewall for a close<br />
inspection and analysis. A hardware firewall, a term often<br />
interchangeable with network or next-generation firewall, protects the<br />
network gateways for an enterprise. Hardware firewall is physical<br />
hardware, installed between network elements and connected devices, and<br />
is tasked with filtering traffic for cyber threat to the network or<br />
devices. Filtering out unauthorized or suspicious users based on traffic<br />
analysis is one of the biggest benefits of hardware firewall. <ref name="sangfor">Sangfor, "What is Software Firewall? Difference between Hardware Firewall and Software Firewall, [Online]. Available: https://www.sangfor.com/blog/cybersecurity/what-is-software-firewall-difference-between-hardware-firewall-and-software-firewall [Accessed 26 4 2022].</ref><br />
<br />
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems<br />
(IPS) are both parts of the network infrastructure. IDS/IPS compare<br />
network packets to a cyberthreat database containing known signatures of<br />
cyberattacks — and flag any matching packets. IDS doesn’t alter the<br />
network packets in any way, whereas IPS prevents the packet from<br />
delivery based on the contents of the packet, much like how a firewall<br />
prevents traffic by IP address. <ref name="Varonis">Varonis, "What is Software Firewall? IDS vs. IPS: What is the Difference?, [Online]. Available: https://www.varonis.com/blog/ids-vs-ips [Accessed 26 4 2022].</ref><br />
<br />
====Digital forensics====<br />
Digital forensics is a branch of forensic science that focuses on<br />
identifying, acquiring, processing, analyzing, and reporting on data<br />
stored electronically. Electronic evidence is a component of almost all<br />
criminal activities and digital forensics support is crucial for law<br />
enforcement investigations. Electronic evidence can be collected from a<br />
wide array of sources, such as computers, smartphones, remote storage,<br />
unmanned aerial systems, shipborne equipment, and more.<ref name="interpol">Interpol, "Digital forensics". Available: https://www.interpol.int/How-we-work/Innovation/Digital-forensics. [Accessed 28 4 2022].</ref> <br />
Investigative process of digital forensics can be divided into several stages. There are four major stages: preservation, collection,<br />
examination, and analysis. All these four stages need a deep understanding of computers, technology across a broad spectrum, and cybersecurity principles and<br />
practices, a working knowledge of computers, networks, and coding, in-depth investigative abilities, critical-thinking skills and analytical talent the ability to effectively communicate and work with a<br />
wide range of people. <ref name="ecpi">"Digital forensics". Available: https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me. [Accessed 26 4 2022].</ref><br />
<br />
====Mobile device management====<br />
Mobile device management (MDM) is software that allows IT<br />
administrators to control, secure and enforce policies on smartphones,<br />
tablets and other endpoints. Mobile device management software emerged<br />
in the early 2000s as a way to control and secure the personal digital<br />
assistants and smartphones that business workers began to use. The<br />
consumer smartphone boom that started with the launch of the Apple<br />
iPhone in 2007 led to the bring your own device (BYOD) trend, which<br />
fueled further interest in MDM.<ref name="techtarget">Techtarget, "Mobile Device Management". Available: https://www.techtarget.com/searchmobilecomputing/definition/mobile-device-management [Accessed 27 4 2022].</ref><br />
<br />
====Data management====<br />
Sometimes the data management is neglected, but this part has a<br />
crucial role when learning for good cyber security practices. Majority<br />
of cyber security programs include a special courses on data management.<br />
Data management is a method of organizing and maintaining data processes<br />
that are required in almost every business operations. The benefits of<br />
data management can be found accounting, statistics, logistics planning<br />
and other disciplines including corporate computing.<ref name="GlobalUni">Global Universities, "MSc Data Management and Cyber Security". Available: https://globaluniversities.in/msc-data-management-cyber-security. [Accessed 26 Apr 2022].</ref><br />
Data governance (and management) play a fundamental role in<br />
protecting an organization’s data. Ensuring that the right people have<br />
the right access and that appropriate security controls are in place to<br />
protect each system or service, based on the criticality or sensitivity<br />
of the data sets these contain. <ref name="CyberMagazine">Cyber Security Magazine, "The Role of Data Governance in Cybersecurity". Available: https://cybersecurity-magazine.com/the-role-of-data-governance-in-cybersecurity/?utm_source=rss&amp;utm_medium=rss&amp;utm_campaign=the-role-of-data-governance-in-cybersecurity. [Accessed 26 Apr 2022].</ref><br />
<br />
====Application security development====<br />
Application security describes security measures at the application<br />
level that aim to prevent data or code within the app from being stolen<br />
or hijacked. It encompasses the security considerations that happen<br />
during application development and design, but it also involves systems<br />
and approaches to protect apps after they get deployed. Application<br />
security may include hardware, software, and procedures that identify or<br />
minimize security vulnerabilities.<ref name="vmware">VmWare, "What is application security?". Available: https://www.vmware.com/topics/glossary/content/application-security.html [Accessed 28 April 2022].</ref><br />
Application security development is important to ensure that your<br />
application is free from coding errors and bugs. And controls the risk<br />
and helps safeguard against security vulnerabilities. Application<br />
security development is the process of making applications more secure<br />
by finding and fixing security vulnerabilities. This is often done by<br />
enforcing software security best practices and using application<br />
security testing tools. <br />
<ref name="perforce">Perforce, "Application Security Development Best Practices". Available: https://www.perforce.com/blog/kw/application-security-development-best-practices. [Accessed 28 April 2022].</ref><br />
<br />
====Audit and compliance knowledge====<br />
A cyber security audit is designed to be a comprehensive review and<br />
analysis of your business’s IT infrastructure. It identifies threats and<br />
vulnerabilities, exposing weaknesses and high-risk practices.<br />
Regulations such as the EU GDPR (General Data Protection Regulation) can<br />
impose hefty penalties in the event of a breach that results in<br />
exploited data. A cyber security audit will help mitigate the<br />
consequences of a breach and demonstrate that your organization has<br />
taken the necessary steps to protect client and company data. <ref name="cyforsecure">Cyfor Secure, "What is a Cyber Security Audit and how can it help your organisation?". Available: https://cyforsecure.co.uk/services/cyber-assessment/cyber-security-audit/. [Accessed 28 April 2022].</ref><br />
<br />
Cybersecurity compliance is the organizational risk management method<br />
aligned with pre-defined security measures &amp; controls on how data<br />
confidentiality is ensured by its administrative procedures.<ref name="nordlayer">NordLayer, "Cybersecurity compliance: Everything you need to know". Available: https://nordlayer.com/blog/cybersecurity-compliance-everything-you-need-to-know/. [Accessed 28 April 2022].</ref><br />
All needed skills are developed through courses and certification.<br />
<br />
===Entry-Level Incident Response Positions===<br />
It is not always possible to advance to the position of incident<br />
responder in a straight line. Many professionals advance from entry- to<br />
mid-level positions before becoming a real incident responder or a<br />
member of a computer emergency response team (CERT).<br /><br />
These are some examples: <ref name="Infosec">Infosec, "Incident Responder Career Roadmap: From Entry Level to Executive". Available: https://resources.infosecinstitute.com/topic/incident-responder-career-roadmap-entry-level-executive/ [Accessed 28 April 2022].</ref></p><br />
<ul><br />
<li><h5 id="network-administrator">Network administrator</h5><br />
<p>This position’s experience will help potential incident responders<br />
develop networking skills. Attention to detail, as well as the ability<br />
to sift through system configurations, site layouts, and general network<br />
and communication setups, are essential in this field.</p></li><br />
<li><h5 id="system-administrator">System administrator</h5><br />
<p>Another crucial beginning point for an incident responder is to learn<br />
how to manage resources inside your organization as well as user<br />
behavior. Understanding the potential damage that users, inadequate<br />
security setups, and ineffective IT policies and procedures can cause on<br />
your network can provide prospective candidates with insight into the<br />
human component of an incident.</p></li><br />
<li><h5 id="security-administrator">Security administrator</h5><br />
<p>In such a position, basic hacking skills, penetration testing, and<br />
intrusion detection are all learned, which are crucial incident<br />
responder skills when trying to replicate a breach or attack.<br />
Understanding the paths a cybercriminal will take when attempting to<br />
damage or obtain access to a system can greatly simplify the work of<br />
reverse engineering the incident.</p></li><br />
</ul><br />
<br />
=== Mid-Level Incident Response Positions ===<br />
<ul><br />
<li><h5<br />
id="computer-security-incident-response-team-csirt-engineer">Computer<br />
security incident response team (CSIRT) engineer</h5></li><br />
<li><h5 id="cyber-incident-responder">Cyber incident responder</h5></li><br />
<li><h5 id="incident-response-engineer">Incident response<br />
engineer</h5></li><br />
</ul><br />
<p>While each of these positions is different, they generally require<br />
very similar skills and characteristics in a candidate. At this level,<br />
personal characteristics such as problem solving, time management, and<br />
even presentation skills become more crucial as one’s career evolves<br />
into a management-facing role.</p><br />
<p>Technical skills include the ability to identify and minimize threats<br />
while maintaining communication with management and the rest of your<br />
team. Data analysis and evidence gathering become increasingly crucial,<br />
and the circumstances in which your services are deployed get more<br />
serious.</p><br />
Problem-solving skills are crucial at this level of incident<br />
response, and as the stakes rise, so does the pressure in each<br />
situation. At this level, programming abilities are essential since<br />
incident responders may be needed to reverse engineer malicious code or<br />
even create patches for vulnerable network applications or services. <ref name="coursera">Coursera, "10 Popular Cybersecurity Certifications [2022 Updated]". Available: https://www.coursera.org/articles/popular-cybersecurity-certifications [Accessed 28 April 2022].</ref><br />
<br />
===Senior-Level Incident Response Positions===<br />
<ul><br />
<li><h5 id="intrusion-detection-specialist">Intrusion detection<br />
specialist:</h5></li><br />
</ul><br />
<p>A CISSP certification might help a potential candidate in preparing<br />
for the profession. The role of an intrusion detection specialist is to<br />
find and stop any unwanted communications.</p><br />
<ul><br />
<li><h5 id="incident-manager">Incident manager:</h5></li><br />
</ul><br />
Expected to plan, oversee, manage, and supervise all incident<br />
response team actions. Is in charge of reporting all current events to<br />
senior management and stakeholders, as well as acting as the technical<br />
lead on active incidents for incident responders. Prepares threat and<br />
impact assessments and reports them known to management.<ref name="coursera"></ref><br />
<br />
==Certificates== <br />
There is a vast number of different certificates and the road map to<br />
being a certified professional could be very different<ref name="Coursera">Coursera, "10 Popular Cybersecurity Certifications [2022 Updated]," [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications. [Accessed 30 Apr 2022].</ref><br />
<ref name="NICCS">NICCS, "Cybersecurity Certifications," [Online]. Available: hhttps://niccs.cisa.gov/about-niccs/cybersecurity-certifications. [Accessed 30 Apr 2022].</ref> . One possible<br />
approach is to start with basic certificates from the different branches<br />
of service and move to more specific and demanding focused<br />
certification. Also, some jobs require certain clearances, either from<br />
industry, or from the government. One small selection of different<br />
possible certificates is brought out in following paragraphs.<br />
<br />
Security+ is a CompTIA certification that is considered a basic cert<br />
among cybersecurity professionals. It covers the topics of risk<br />
management and threat assessment.<br />
Network+ is also offered by CompTIA this certification (like the name<br />
implies) focuses on networking infrastructure and operations. It is<br />
considered a foundational certification.<br />
The Certified Information Systems Security Professional (CISSP) is a<br />
more advanced certification designed for cybersecurity professionals<br />
with at least five years of work experience. The certification covers<br />
topics such as architecture, engineering, and management.</p><br />
The Certified Ethical Hacker (CEH) certification is also considered a<br />
more advanced cert because it generally requires that applicants have<br />
multiple years of work experience. The goal of an ethical hacker<br />
certification is to be able to understand how cyber attacks unfold in<br />
order to improve threat assessment and mitigation skills.<ref name="cyberguide">Cybersecurity Guide, "How to become a cybersecurity specialist", [Online]. Available: https://cybersecurityguide.org/careers/security-specialist/. [Accessed 27 April 2022].</ref><br />
This is definitely not all, when one looks for more information, following link could be searched, to get more in depth knowledge about<br />
different possibilities.<br />
<br />
Hereby, with the help of this matrix a possible taxonomy of different 436 listed certificates in branches are<br />
presented.<ref name="Pauljeremy">"Cybersecurity Roadmap," [Online]. Available: https://pauljerimy.com/2020/10/12/scr-oct-2020-update/. [Accessed 30 Apr 2022].</ref><br />
<br />
[[File:analystimage5.png|1000px|thumb|Certificate matrix <ref>"Certification roadmap". Available at https://pauljerimy.com/security-certification-roadmap</ref>]]<br />
<br />
=== Communication and Network Security===<br />
Communication and network security covers the ability to secure<br />
communication channels and networks. Topics include secure and converges<br />
protocols, wireless networks, cellular networks, hardware operations<br />
(warranty and redundant power), and third-party connectivity. IP<br />
networking are also included in this domain.<br />
===Identity and Access Management===<br />
The identity and access management domain covers the attacks that<br />
target the human gateway to gain access to data. Other topics include<br />
ways to identify users with rights to access the information and<br />
servers. Identity and access management covers the topics of<br />
applications, Single sign-on authentication, privilege escalation,<br />
Kerberos, rule-based or risk-based access control, proofing and<br />
establishment of identity.<br />
===Security Architecture and Engineering===<br />
The security architecture and engineering domain covers important<br />
topics concerning security engineering plans, designs and principles,<br />
Topics include assessing and mitigating information system<br />
vulnerabilities, fundamental concepts of security models and security<br />
architectures in critical areas like access control. Cloud systems,<br />
cryptography, system infiltrations (ransomware, fault-injection and<br />
more) and virtualized systems are also covered in this domain.<br />
===Asset Security===<br />
The Asset Security domain deals with the issues related to the<br />
collection, storage, maintenance, retention and destruction of data. It<br />
also covers knowledge of different roles regarding data handling (owner,<br />
controller and custodian) as well as data protection methods and data<br />
states. Other topics include resource provision, asset classification<br />
and data lifecycle management.<br />
===Security and Risk Management===<br />
The security and risk management domain covers general on skills<br />
related to the implementation of user awareness programs as well as<br />
security procedures. Emphasis is also placed on risk management<br />
concerning the acquisition of new services, hardware and software<br />
(supply chain). Other skills include social engineering defense<br />
mechanisms.<br />
===Security Assessment and Testing===<br />
The security assessment and testing domain deals with all the<br />
techniques and tools used to find system vulnerabilities, weaknesses and<br />
potential areas of concern not addressed by security procedures and<br />
policies. Attack simulations, vulnerability assessment, compliance<br />
checks, and ethical disclosure also fall under this domain.<br />
===Software Security===<br />
The software development security domain deals with implementing<br />
software-based security protocols within environment for which the IT<br />
professional is responsible. Risk analysis, vulnerability identification<br />
and auditing of source codes are all covered in this subset. Additional<br />
topics include software-designed security, maturity models, development<br />
methodologies, open-source and third-party development security.<br />
===Security operations===<br />
The security operations domain covers topics ranging from<br />
investigations and digital forensic to detection and intrusion<br />
prevention tools, sandboxing and firewalls. Topics include user and<br />
entity behavior analytics, threat intelligence (threat hunting and<br />
threat feeds) log management, artifacts (mobile, computer and network),<br />
machine learning and AI-based tools, penetration testing, and<br />
exploitation development. These for sub-domains are lister here.</p><br />
<li>Forensics</li><br />
<li>Incident Handling</li><br />
<li>Penetration Testing</li><br />
<li>Exploitation</li><br />
<br />
==Education==<br />
[[File:Analystimage7.png|400px|thumb|Comparison degree vs Certificate <ref>"Comparison Table". Available at https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</ref>]]<br />
The entry level monitoring specialist is hired by Estonian<br />
Information System Authority even if there is no formal IT education,<br />
but readiness to learn and moderate knowledge of different operation<br />
systems is enough to start the career. <ref name="cv">cv.ee, "SEIRESPETSIALIST - tule Eesti küberruumi valvuriks!". Available: https://www.cv.ee/en/vacancy/792782/riigi-infosusteemi-amet/seirespetsialist-tule-eesti-kuberruumi-valvuriks [Accessed 28 April 2022].</ref><br />
Nevertheless, like most other high qualification careers jobs falling<br />
under the cybersecurity specialist category require some form of formal<br />
education. However, since cybersecurity specialist jobs can fall across<br />
a wide spectrum of job descriptions and responsibilities, it is possible<br />
to obtain a specialist job after completing many levels of different<br />
computer related education.<br />
<br />
If one is looking for a cybersecurity related education, for example<br />
in EU, 137 courses/programs could be found that relate to keyword IT or<br />
cybersecurity. <ref name="enisa">ENISA (European Union Agency for Cybersecurity), "Cybersecurity Education-Cybersecurity Higher Education Database". Available: https://www.enisa.europa.eu/topics/cybersecurity-education/education-map/education-courses [Accessed 26 April 2022].</ref><br />
<br />
Also, there is a great amount of discussion, if cyber security<br />
professional should have a degree or would be certification just enough.<br />
One interesting table is produces by Franklin University that compares<br />
benefits and/or drawbacks of each type of credential.<ref name="franklin">Franklin University, "Is Getting a Master's Degree in Cyber Security Worth It?". Available: https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it [Accessed 28 April 2022].</ref><br />
<br />
Certifications are generally good for people with little practical<br />
experience because they are known quantities in the industry and can<br />
help you get your foot in the door. They set a minimum knowledge bar.<br />
But some certifications are viewed more favorably than others.<br />
Certifications with renewal requirements are viewed better by hiring<br />
managers, but they also more costly in the long run because of the need<br />
for continuing education. Certifications are also good for showing<br />
in-depth expertise in a specialization within cybersecurity. Depending<br />
on your career goals, it may be advantageous to have a master’s<br />
degree—which shows your breadth of knowledge, critical thinking and<br />
leadership skills—and a certificate—which shows specific skill<br />
competency.<ref name="franklin"></ref><br />
As IT (Cyber) Security is still a relatively young discipline,<br />
universities and colleges are still figuring out which is the best<br />
approach for their degrees. Study programmes and curricula in Cyber<br />
Security are different. In general, here are the duration of Cyber<br />
Security degrees:<br />
<ref name="studyportal">Studyportals, "Why You Should Study a Cyber Security Degree in 2022". Available: https://www.mastersportal.com/articles/2722/why-you-should-study-a-cyber-security-degree-in-2022.html [Accessed 28 April 2022].</ref><br />
<ul><br />
<li><p>Bachelor’s degrees in Cyber Security take 3 or 4 years in most<br />
countries.</p></li><br />
<li><p>Master’s courses in Cyber Security take between 1-2 years to<br />
complete.</p></li><br />
<li><p>PhD programmes in Cyber Security last 3-5 years. Some only take 1<br />
or 2 years, but they are less common.</p><br />
</li><br />
</ul><br />
<br />
Generalization could me made that on bachelor level the general<br />
knowledge about the cyber issues are obtained. On master level the<br />
specialization courses are taken and the person can choose more specific<br />
topics to study. It is on master level where strengths of the cyber<br />
specialist can be developed further and up-do date knowledge obtained in<br />
specifics. PhD is serious science and involves teaching, lot of<br />
scientific work and writing for publications.<br />
<br />
==Salary==<br />
<p>Even if the salary can be very different, compared to the skills and<br />
experience, an generalization can be made. Cyber Security professionals<br />
in CSIRT, and in other entities earn quite well, from the start. First,<br />
some comparison from the United States. The average CSIRT analyst salary<br />
in the USA is $97,500 per year or $50 per hour. Entry level positions<br />
start at $48,875 per year while most experienced workers make up to<br />
$135,373 per year.<ref name="talent">talent.com, "Csirt Analyst average salary in USA 2022". Available: https://www.talent.com/salary?job=csirt+analyst [Accessed 28 April 2022].</ref><br />
<br />
There are multiple positions you can occupy in this field. They have<br />
in common great salaries and high demand for technical skills, attention<br />
to details, problem-solving mentality, and the ability to analyze risks.<br />
Here are the average annual salaries in the United States, according to<br />
Payscale: <ref name="studyportal"></ref><br />
<ul><br />
<li><p>Cryptographer – 100,000 USD</p></li><br />
<li><p>Information Security Officer – 91,000 USD</p></li><br />
<li><p>Security Assessor – 90,000 USD</p></li><br />
<li><p>Security Engineer – 88,000 USD</p></li><br />
<li><p>Penetration Tester – 81,000 USD</p></li><br />
<li><p>Forensics Expert – 71,000 USD</p></li><br />
<li><p>Security Administrator – 65,000 USD</p><br />
</ul><br />
When looking into salaries in Estonia, one can find that there is a<br />
discussion that private sector is taking a toll from the public sector,<br />
and that the salaries in important agencies, as Information System<br />
Authority loose their employees to the better paid positions in private<br />
sector.<ref name="digigeenius">DiGi Geenius, "Kui-palju-riigi-jaoks-olulised-it-tootajad-tegelikult-palka-saavad". Available: https://digi.geenius.ee/rubriik/uudis/kui-palju-riigi-jaoks-olulised-it-tootajad-tegelikult-palka-saavad/ [Accessed 28 April 2022].</ref><br />
<ref name="tehnika">Postimees, "Riigi-it-tootajate-palgamaarad-kasvasid". Available: https://tehnika.postimees.ee/6887428/riigi-it-tootajate-palgamaarad-kasvasid [Accessed 28 April 2022].</ref><br />
But there is also a different view that average private sector worker<br />
could be hired as a top specialist in public sector and then the payment<br />
is higher. Nevertheless, it seems that the average payment in cyber<br />
security sector is any way higher that in other parts of the<br />
e-services. <ref name="digigeenius2">DiGi Geenius, "5000-eurostest-palkadest-it-tootajad-saavadki-palju-palka". Available: https://digi.geenius.ee/rubriik/uudis/5000-eurostest-palkadest-it-tootajad-saavadki-palju-palka [Accessed 28 April 2022].</ref><br />
<br />
==SOC==<br />
<p>A SOC is a facility where an organization’s network, applications,<br />
and endpoints are monitored and defended. The term was adapted from<br />
network operations centers (NOCs), where large telecommunication or<br />
corporate networks are monitored. When network security became more of a<br />
concern, security teams were formed within the NOCs, and eventually spun<br />
off into larger organizations of their own as the responsibilities of<br />
security teams grew increasingly complex and specialized. The security<br />
staff working in a security operations center are often called the SOC<br />
team.<ref name="exabeam">Exabeam, "CSIRT". Available: https://www.exabeam.com/incident-response/csirt/ [Accessed 28 APr 2022].</ref><br />
<br />
<p>Functions of the SOC team include, but are not limited to:<ref name="trellix">Trellix, "What Is a Security Operations Center (SOC)?". Available: https://www.trellix.com/en-us/security-awareness/operations/what-is-soc.html [Accessed 30 APr 2022].</ref></p><br />
<ol type="1"><br />
<li>Taking inventory of resources, to get a better understanding of the<br />
structure they are protecting.</li><br />
<li>Maintanence of the system, by constantly making updates and adding<br />
safeguards.</li><br />
<li>Monitoring the network for abnormalities with special tools.</li><br />
<li>Threat analysis of new attacks and vulnerabilities.</li><br />
<li>Responding to attacks, by acting as “first responders”. The SOC team<br />
will shut down and/or isolate endpoints, deleting files and lowering the<br />
impact as fast as possible.</li><br />
<li>Recovery of system stability and lost data. This may be done using<br />
backups, restarting endpoints or reconfiguring systems.</li><br />
<li>Logging all actions on the system, to be later used for analysis or<br />
forensics after an attack.</li><br />
<li>Investigating the root cause of an attack.</li><br />
<li>Auditing their own actions, to be in line with regulations of the<br />
organization, industry or governing body.</li><br />
</ol><br />
<br />
==CSIRT==<br />
<p>A CSIRT is a group that responds to security incidents when they<br />
occur. Key responsibilities of a CSIRT include:<br />
<ref name="exabeam"></ref><br />
===Creating and maintaining an incident response plan (IRP)===<br />
An incident response plan (IRP) is a set of written instructions for<br />
detecting, responding to and limiting the effects of an information<br />
security event. Incident response plans provide instructions for<br />
responding to many potential scenarios, including data breaches, denial<br />
of service/distributed denial of service attacks, firewall breaches,<br />
virus or malware outbreaks or insider threats. Without an incident<br />
response plan in place, organizations may either not detect the attack<br />
in the first place, or not follow proper protocol to contain the threat<br />
and recover from it when a breach is detected.<br />
<ref name="stratacore">Stratacore, "Incident Response Plan (IRP)". https://www.stratacore.com/incidentresponseplan [Accessed 28 April 2022].</ref><br />
<br />
===Investigating and analyzing incidents===<br />
CSIRTs are also involved in improvement activities. After major<br />
computer security incidents occur, or when incidents are not handled in<br />
a timely or effective manner, a CSIRT will generally perform a<br />
postmortem of the incident and its response. This postmortem will<br />
identify the strengths and weakness of the response effort. Such reviews<br />
can identify weaknesses and holes in systems, infrastructure defenses,<br />
or policies that allowed the incident to take place. It can also<br />
identify problems with communication channels, interfaces, and<br />
procedures that inhibited the efficient resolution of the reported<br />
problem.<br />
<ref name="cisa">CISA (Cybersecurity & Infrastructure Security Agency, "Defining Computer Security Incident Response Teams". https://www.cisa.gov/uscert/bsi/articles/best-practices/incident-management/defining-computer-security-incident-response-teams [Accessed 28 April 2022].</ref><br />
<br />
===Managing internal communications and updates during or immediately after incidents occur===<br />
===Communicating with employees, shareholders, customers, and the press about incidents as needed===<br />
There are various services within the CSIRT Services Framework that<br />
address communications, as they relate to security operations and<br />
incident response services. Some of these include Information Security<br />
Incident Coordination, Crisis Management Support, Vulnerability<br />
Disclosure, Situational Awareness Communication, and Awareness Building,<br />
to name a few. Sharing information and communicating with the general<br />
public and/or your constituency is appropriate in many different<br />
scenarios. These can range from proactive communications to reactive<br />
communications. Each scenario may be unique, and careful consideration<br />
should be given to when to release information to the public and what<br />
information should be released.<br />
<ref name="CMUni">Carniege Mellon University, Brittany Manley, David McIntire "A Guide to Effective Incident Management Communications". https://resources.sei.cmu.edu/asset_files/Handbook/2021_002_001_651819.pdf [Accessed 28 April 2022].</ref><br />
<br />
===Remediating incidents===<br />
Threat remediation is a strong and capable tool for fighting the<br />
cyber security compromises. As the word ‘remedy’ suggests, remediation<br />
process involves the treatment of a security breach. With the<br />
remediation practices, your cyber security team is able to eliminate<br />
suspicious activities and malicious attacks in the form of malware,<br />
ransomware, phishing and such. Even if you ‘kill’ the suspicious<br />
activity, the attackers can remain in your systems. If you want to<br />
contaminate and end the problem for good, your remediation processes<br />
must involve the detection of the cause. <ref name="logsign">Logsign, "What-is-remediation-in-cyber-security". Available: https://www.logsign.com/blog/what-is-remediation-in-cyber-security/. [Accessed 28 Apr 2022].</ref><br />
<br />
===Recommending technology, policy, governance, and training changes after security incidents===<br />
After all these actions, the SCIRT must contribute to the development<br />
of better policies, practices and has to recommend improvements. They<br />
are not working in the vacuum and their work has to create new and<br />
better standards for cyber security. <ref name="exabeam">Exabeam, "CSIRT". Available: https://www.exabeam.com/incident-response/csirt/ [Accessed 28 APr 2022].</ref><br />
<br />
==CERT==<br />
The term “computer emergency response team” was coined in 1988. In<br />
response to the Morris worm attack that impacted thousands of servers on<br />
the Internet, DARPA funded the formation of the Computer Emergency<br />
Response Team Coordination Center (CERT-CC) at Carnegie Mellon<br />
University. The goal of CERT-CC was to help protect the internet by<br />
collecting and disseminating information on critical security<br />
vulnerabilities. Several other countries formed similar centers using<br />
the same acronym (despite threats of legal action by Carnegie Mellon for<br />
trademark infringement). Now the term CERT refers to any emergency<br />
response team that deals with cyber threats. Many people use CERT-CC<br />
interchangeably with CSIRT, though the charter of a CERT is information<br />
sharing in order to help other response teams respond to threats against<br />
their own infrastructure. <ref name="exabeam"></ref><br />
<br />
In general, the designation of CERT is helpful in applying real-world<br />
solutions to various cybersecurity problems. They may be government<br />
contractors or employees of a major corporation. For example, the U.S.<br />
Computer Emergency Readiness Team (US-CERT) operates under the U.S.<br />
Department of Homeland Security.<br />
<ref name="techopedia">Techopedia, "Computer Emergency Response Team (CERT)". Available: https://www.techopedia.com/definition/31003/computer-emergency-response-team-cert. [Accessed 25 April 2022].</ref><br />
<br />
In Estonia CERT is designated as CERT-EE. It was established in 2006,<br />
as an organization responsible for the management of security incidents<br />
in .ee computer networks. It is also a national contact point for<br />
international co-operation in the field of IT security. <ref name="ria">Information System Autority, "CERT-EE". Available: hhttps://www.ria.ee/en/cyber-security/cert-ee.html [Accessed 25 April 2022].</ref><br />
<br />
==Difference between SOC/CSIRT/CERT==<br />
[[File:analystimage3.png|300px|thumb|SOC/CSIRT/CERT <ref name="exabeam></ref>]]<br />
How CSIRTs differ from CERTs and SOCs. There are overlapping<br />
responsibilities between a community emergency response team (CERT),<br />
computer security incident response team (CSIRT), and security<br />
operations center (SOC). To add to this confusion, frequently, the terms<br />
CERT and CSIRT are used interchangeably, despite the important<br />
differences. <ref name="exabeam"></ref><br />
<br />
==Understand the primary roles and characteristics of a CERT, CSIRT, and SOC.==<br />
[[File:analystimage4.png|600px|thumb|Primary Roles of CERT, CSIRT, and SOC<ref name="exabeam></ref>]]<br />
<p>So, using strict definitions, a CERT collects and disseminates<br />
security information, typically for the benefit of a country or an<br />
industry. A CSIRT is a cross-functional team that responds to incidents<br />
on behalf of a country or an organization. A SOC is where a country or<br />
organization monitors and defends its network, servers, applications,<br />
and endpoints. <ref name="exabeam"></ref><br />
<br />
==Future==<br />
<p>And the Cyber security problem is only getting bigger. According to a<br />
report published by Accenture, the number of cyber security breaches<br />
increased by 11 percent from 2017 to 2018. The cost of such breaches is<br />
astronomical–about $600 billion worldwide, according to the Economic<br />
Impact of Cybercrime report.<br />
<ref name="ecpi">ECPI, "What-is-digital-forensics-in-cybersecurity". Available: https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me [Accessed 27 April 2022].</ref><br />
<br />
Job projections for cybersecurity are staggering. The Bureau of Labor<br />
Statistics in US predicts that careers in the cybersecurity field will<br />
grow by 32% by 2028. That makes cybersecurity one of the top 10<br />
fastest-growing jobs in the country. In the United States alone, jobs<br />
for Information Security Analysts are expected to grow by 15% by<br />
2024.<ref name="franklin"></ref><br />
<br />
<p>https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</p><br />
<p>Most likely this trend is also similar in other countries.</p><br />
<p>When checking Estonian job portals, there is a constant need for<br />
people for cyber security related positions. Also, linkedin search gives<br />
approximately 30 vacancies immediately. There are banks, logistics<br />
companies, e-shops, and software producers.</p><br />
<p>https://ee.linkedin.com/jobs/cyber-security-jobs?countryRedirected=1&amp;position=1&amp;pageNum=0</p><br />
<p>Trends that affect companies create need for constant cyber security<br />
services. Increasing number of home/remote offices require secure<br />
corporate networks and security of remote devices. One example is from<br />
this year, when sloppy remote desktop set-up paralyzed systems of 17<br />
companies.</p><br />
<p>https://www.aripaev.ee/uudised/2022/04/20/ria-lohakas-kaugtoolaua-seadistus-halvas-martsis-vahemalt-17-juhul-ettevotete-it-susteemid</p><br />
<p>Also, no service can exists without robust infrastructure - servers,<br />
databases, applications. As all previously mentioned devices and<br />
services are at constant scanning and surveillance. So, the breach<br />
detection and immediate action demands 24/7 services. Even if lot of<br />
things could be automated, there is a need for human specialists (at<br />
least, at the moment). Third growing field is also a forensic<br />
investigation, as every attack must be investigated in order to be ready<br />
to repel next attacks. So data recovery and evidence collection is<br />
another important field of work that need skilled and professional<br />
workers.</p><br />
<p>Even, if the specifics of the entity, be it CSIRT, CERT or SOC, are<br />
different, the fundamentals of the work are the same. Professional<br />
knowledge of the networks, operational systems, hardware, scripting, and<br />
several other wider IT related knowledge is needed. As there is no<br />
single way to reach to it, every single person can find one’s strongest<br />
sides and develop them with knowledge of weaker side, in order to know,<br />
when to as for help.</p><br />
<br />
</body><br />
</html></div>Mavaldhttps://wiki.itcollege.ee/index.php?title=Hiring_a_Cyber_Security_Incident_Analyst&diff=142277Hiring a Cyber Security Incident Analyst2022-05-01T16:12:37Z<p>Mavald: /* Communicating with employees, shareholders, customers, and the press about incidents as needed */</p>
<hr />
<div>==A Cyber Security Incident Analyst==<br />
<br />
[[File:image1.png|600px|thumb|Job advertisement <ref>"Job Advertisement". Available at https://www.projectpeople.com/jobs/</ref>]]<br />
===Cyber security incident analyst in SOC/CSIRT/CERT===<br />
This article delves into the job title of Cyber Security Incident<br />
Analyst and provides an overview of the acronyms SOC/CSIRT/CERT. A brief<br />
history of the job is discussed here, as well as a possible career path,<br />
education, experience, and other characteristics required for work in<br />
computer security-related organizations. The article also provides a<br />
brief history of SOC/CSIRT/CERT, as well as a comparison of their<br />
differences and similarities.<br />
===Cyber Security Incident Analyst Skill Set===<br />
What skill set is expected from the Cyber Security Incident Analyst? Below written lines are taken from the same job advertisement depicted<br />
on the left side of this article:<br />
As a Security Incident Analyst your responsibilities will include:<br />
<ul><br />
<li>Continuous monitoring of security tooling</li><br />
<li>Performing regular and ad-hoc vulnerability assessments</li><br />
<li>Carrying out ‘spot checks’</li><br />
<li>Reporting vulnerabilities to the PVG via the alerts system</li><br />
<li>Maintaining and documenting logging systems</li><br />
<li>Developing centralized logging, reporting and intelligence<br />
platforms</li><br />
<li>‘Light touch’ penetration testing with open source tooling<br />
(Metasploit)</li><br />
</ul><br />
Knowledge &amp; Experience required:<br />
<ul><br />
<li>SOC, CSIRT or CERT operational environment experience</li><br />
<li>Windows / Linux experience</li><br />
<li>TCP /IP networking protocol knowledge</li><br />
<li>Experience reviewing and analyzing Security Events from various<br />
monitoring and logging sources</li><br />
<li>Experience in website and web application security assessment or<br />
penetration testing</li><br />
<li>Experience of using Metasploit</li><br />
<li>Scripting knowledge using BASH, Python, Perl, Ruby</li><br />
<li>Skills in Host and Network Forensics</li><br />
</ul><br />
As one can see the description of the duties is wide and also the<br />
knowledge and experience that is required is noteworthy. So, where to<br />
start to find out the way to get this kind of knowledge and<br />
expertize.<br />
===Possible career path===<br />
Next part of the paper is aiming to depict a possible ways, how to<br />
develop oneself, and move along the career pathway in cybersecurity<br />
field. Topics of development, education, experience and certification<br />
are covered.<br />
[[File:analystimage2.png|1000px|thumb|Career path <ref>"Possible Career Path". Available at https://www.cyberseek.org/pathway.html</ref>]]<br />
<br />
===Junior/Senior===<br />
Start with an entry-level job in IT. Hands-on experience is often the<br />
most effective way to prepare for certification exams. Start<br />
accumulating work experience with an entry-level role as a cybersecurity<br />
analyst. Many cybersecurity professionals start off in more general IT<br />
roles. The skills, practices, and technologies you’ll use as a<br />
cybersecurity professional will continue to evolve along with computer<br />
and network technology. The desire to learn, ability to problem solve,<br />
and attention to detail will serve you well in this field. Other, more<br />
technical skills and technologies to learn include:<ref name="certification">Popular Cyber Security Certificates [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications [Accessed 25 April 2022].</ref><br />
<br />
====SIEM tools (security information and event management)====<br />
Security Information and Event Management (SIEM) is a set of tools<br />
and services offering a holistic view of an organization’s information<br />
security. SIEM works by combining two technologies:<br />
<li>Security information management (SIM), which collects data from log<br />
files for analysis and reports on security threats and events, and</li><br />
<li>security event management (SEM), which conducts real-time system<br />
monitoring, notifies network admins about important issues and<br />
establishes correlations between security events. There are a number of<br />
security information and event management solutions on the market.<br />
ArcSight ESM, IBM QRadar and Splunk are among the most popular. <ref name="SIEM">Application security, SIEM [Online]. Available: https://www.imperva.com/learn/application-security/siem/. [Accessed 27 4 2022].</ref></li><br />
<br />
====Firewalls, Intrusion Detection Systems (IDS), and Intrusion Prevention Systems(IPS)====<br />
Firewalls can be two types, hardware and software firewalls. Software<br />
firewall is a firewall that is installed on a computer or server, and<br />
tasked with network security. It works with a wide variety of other<br />
technology security solutions to provide more robust and cohesive<br />
security for enterprises of all sizes. When a software firewall is<br />
installed on a server, it opens up like an umbrella of protection over<br />
all other computers connected to the network. It is able to monitor both<br />
incoming and outgoing traffic for potential risk or suspicious user<br />
behavior, and also makes setting security policies much easier, faster<br />
and more flexible. Hardware firewall is positioned between the network<br />
and devices, allowing traffic to funnel through the firewall for a close<br />
inspection and analysis. A hardware firewall, a term often<br />
interchangeable with network or next-generation firewall, protects the<br />
network gateways for an enterprise. Hardware firewall is physical<br />
hardware, installed between network elements and connected devices, and<br />
is tasked with filtering traffic for cyber threat to the network or<br />
devices. Filtering out unauthorized or suspicious users based on traffic<br />
analysis is one of the biggest benefits of hardware firewall. <ref name="sangfor">Sangfor, "What is Software Firewall? Difference between Hardware Firewall and Software Firewall, [Online]. Available: https://www.sangfor.com/blog/cybersecurity/what-is-software-firewall-difference-between-hardware-firewall-and-software-firewall [Accessed 26 4 2022].</ref><br />
<br />
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems<br />
(IPS) are both parts of the network infrastructure. IDS/IPS compare<br />
network packets to a cyberthreat database containing known signatures of<br />
cyberattacks — and flag any matching packets. IDS doesn’t alter the<br />
network packets in any way, whereas IPS prevents the packet from<br />
delivery based on the contents of the packet, much like how a firewall<br />
prevents traffic by IP address. <ref name="Varonis">Varonis, "What is Software Firewall? IDS vs. IPS: What is the Difference?, [Online]. Available: https://www.varonis.com/blog/ids-vs-ips [Accessed 26 4 2022].</ref><br />
<br />
====Digital forensics====<br />
Digital forensics is a branch of forensic science that focuses on<br />
identifying, acquiring, processing, analyzing, and reporting on data<br />
stored electronically. Electronic evidence is a component of almost all<br />
criminal activities and digital forensics support is crucial for law<br />
enforcement investigations. Electronic evidence can be collected from a<br />
wide array of sources, such as computers, smartphones, remote storage,<br />
unmanned aerial systems, shipborne equipment, and more.<ref name="interpol">Interpol, "Digital forensics". Available: https://www.interpol.int/How-we-work/Innovation/Digital-forensics. [Accessed 28 4 2022].</ref> <br />
Investigative process of digital forensics can be divided into several stages. There are four major stages: preservation, collection,<br />
examination, and analysis. All these four stages need a deep understanding of computers, technology across a broad spectrum, and cybersecurity principles and<br />
practices, a working knowledge of computers, networks, and coding, in-depth investigative abilities, critical-thinking skills and analytical talent the ability to effectively communicate and work with a<br />
wide range of people. <ref name="ecpi">"Digital forensics". Available: https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me. [Accessed 26 4 2022].</ref><br />
<br />
====Mobile device management====<br />
Mobile device management (MDM) is software that allows IT<br />
administrators to control, secure and enforce policies on smartphones,<br />
tablets and other endpoints. Mobile device management software emerged<br />
in the early 2000s as a way to control and secure the personal digital<br />
assistants and smartphones that business workers began to use. The<br />
consumer smartphone boom that started with the launch of the Apple<br />
iPhone in 2007 led to the bring your own device (BYOD) trend, which<br />
fueled further interest in MDM.<ref name="techtarget">Techtarget, "Mobile Device Management". Available: https://www.techtarget.com/searchmobilecomputing/definition/mobile-device-management [Accessed 27 4 2022].</ref><br />
<br />
====Data management====<br />
Sometimes the data management is neglected, but this part has a<br />
crucial role when learning for good cyber security practices. Majority<br />
of cyber security programs include a special courses on data management.<br />
Data management is a method of organizing and maintaining data processes<br />
that are required in almost every business operations. The benefits of<br />
data management can be found accounting, statistics, logistics planning<br />
and other disciplines including corporate computing.<ref name="GlobalUni">Global Universities, "MSc Data Management and Cyber Security". Available: https://globaluniversities.in/msc-data-management-cyber-security. [Accessed 26 Apr 2022].</ref><br />
Data governance (and management) play a fundamental role in<br />
protecting an organization’s data. Ensuring that the right people have<br />
the right access and that appropriate security controls are in place to<br />
protect each system or service, based on the criticality or sensitivity<br />
of the data sets these contain. <ref name="CyberMagazine">Cyber Security Magazine, "The Role of Data Governance in Cybersecurity". Available: https://cybersecurity-magazine.com/the-role-of-data-governance-in-cybersecurity/?utm_source=rss&amp;utm_medium=rss&amp;utm_campaign=the-role-of-data-governance-in-cybersecurity. [Accessed 26 Apr 2022].</ref><br />
<br />
====Application security development====<br />
Application security describes security measures at the application<br />
level that aim to prevent data or code within the app from being stolen<br />
or hijacked. It encompasses the security considerations that happen<br />
during application development and design, but it also involves systems<br />
and approaches to protect apps after they get deployed. Application<br />
security may include hardware, software, and procedures that identify or<br />
minimize security vulnerabilities.<ref name="vmware">VmWare, "What is application security?". Available: https://www.vmware.com/topics/glossary/content/application-security.html [Accessed 28 April 2022].</ref><br />
Application security development is important to ensure that your<br />
application is free from coding errors and bugs. And controls the risk<br />
and helps safeguard against security vulnerabilities. Application<br />
security development is the process of making applications more secure<br />
by finding and fixing security vulnerabilities. This is often done by<br />
enforcing software security best practices and using application<br />
security testing tools. <br />
<ref name="perforce">Perforce, "Application Security Development Best Practices". Available: https://www.perforce.com/blog/kw/application-security-development-best-practices. [Accessed 28 April 2022].</ref><br />
<br />
====Audit and compliance knowledge====<br />
A cyber security audit is designed to be a comprehensive review and<br />
analysis of your business’s IT infrastructure. It identifies threats and<br />
vulnerabilities, exposing weaknesses and high-risk practices.<br />
Regulations such as the EU GDPR (General Data Protection Regulation) can<br />
impose hefty penalties in the event of a breach that results in<br />
exploited data. A cyber security audit will help mitigate the<br />
consequences of a breach and demonstrate that your organization has<br />
taken the necessary steps to protect client and company data. <ref name="cyforsecure">Cyfor Secure, "What is a Cyber Security Audit and how can it help your organisation?". Available: https://cyforsecure.co.uk/services/cyber-assessment/cyber-security-audit/. [Accessed 28 April 2022].</ref><br />
<br />
Cybersecurity compliance is the organizational risk management method<br />
aligned with pre-defined security measures &amp; controls on how data<br />
confidentiality is ensured by its administrative procedures.<ref name="nordlayer">NordLayer, "Cybersecurity compliance: Everything you need to know". Available: https://nordlayer.com/blog/cybersecurity-compliance-everything-you-need-to-know/. [Accessed 28 April 2022].</ref><br />
All needed skills are developed through courses and certification.<br />
<br />
===Entry-Level Incident Response Positions===<br />
It is not always possible to advance to the position of incident<br />
responder in a straight line. Many professionals advance from entry- to<br />
mid-level positions before becoming a real incident responder or a<br />
member of a computer emergency response team (CERT).<br /><br />
These are some examples: <ref name="Infosec">Infosec, "Incident Responder Career Roadmap: From Entry Level to Executive". Available: https://resources.infosecinstitute.com/topic/incident-responder-career-roadmap-entry-level-executive/ [Accessed 28 April 2022].</ref></p><br />
<ul><br />
<li><h5 id="network-administrator">Network administrator</h5><br />
<p>This position’s experience will help potential incident responders<br />
develop networking skills. Attention to detail, as well as the ability<br />
to sift through system configurations, site layouts, and general network<br />
and communication setups, are essential in this field.</p></li><br />
<li><h5 id="system-administrator">System administrator</h5><br />
<p>Another crucial beginning point for an incident responder is to learn<br />
how to manage resources inside your organization as well as user<br />
behavior. Understanding the potential damage that users, inadequate<br />
security setups, and ineffective IT policies and procedures can cause on<br />
your network can provide prospective candidates with insight into the<br />
human component of an incident.</p></li><br />
<li><h5 id="security-administrator">Security administrator</h5><br />
<p>In such a position, basic hacking skills, penetration testing, and<br />
intrusion detection are all learned, which are crucial incident<br />
responder skills when trying to replicate a breach or attack.<br />
Understanding the paths a cybercriminal will take when attempting to<br />
damage or obtain access to a system can greatly simplify the work of<br />
reverse engineering the incident.</p></li><br />
</ul><br />
<br />
=== Mid-Level Incident Response Positions ===<br />
<ul><br />
<li><h5<br />
id="computer-security-incident-response-team-csirt-engineer">Computer<br />
security incident response team (CSIRT) engineer</h5></li><br />
<li><h5 id="cyber-incident-responder">Cyber incident responder</h5></li><br />
<li><h5 id="incident-response-engineer">Incident response<br />
engineer</h5></li><br />
</ul><br />
<p>While each of these positions is different, they generally require<br />
very similar skills and characteristics in a candidate. At this level,<br />
personal characteristics such as problem solving, time management, and<br />
even presentation skills become more crucial as one’s career evolves<br />
into a management-facing role.</p><br />
<p>Technical skills include the ability to identify and minimize threats<br />
while maintaining communication with management and the rest of your<br />
team. Data analysis and evidence gathering become increasingly crucial,<br />
and the circumstances in which your services are deployed get more<br />
serious.</p><br />
Problem-solving skills are crucial at this level of incident<br />
response, and as the stakes rise, so does the pressure in each<br />
situation. At this level, programming abilities are essential since<br />
incident responders may be needed to reverse engineer malicious code or<br />
even create patches for vulnerable network applications or services. <ref name="coursera">Coursera, "10 Popular Cybersecurity Certifications [2022 Updated]". Available: https://www.coursera.org/articles/popular-cybersecurity-certifications [Accessed 28 April 2022].</ref><br />
<br />
===Senior-Level Incident Response Positions===<br />
<ul><br />
<li><h5 id="intrusion-detection-specialist">Intrusion detection<br />
specialist:</h5></li><br />
</ul><br />
<p>A CISSP certification might help a potential candidate in preparing<br />
for the profession. The role of an intrusion detection specialist is to<br />
find and stop any unwanted communications.</p><br />
<ul><br />
<li><h5 id="incident-manager">Incident manager:</h5></li><br />
</ul><br />
Expected to plan, oversee, manage, and supervise all incident<br />
response team actions. Is in charge of reporting all current events to<br />
senior management and stakeholders, as well as acting as the technical<br />
lead on active incidents for incident responders. Prepares threat and<br />
impact assessments and reports them known to management.<ref name="coursera"></ref><br />
<br />
==Certificates== <br />
There is a vast number of different certificates and the road map to<br />
being a certified professional could be very different<ref name="Coursera">Coursera, "10 Popular Cybersecurity Certifications [2022 Updated]," [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications. [Accessed 30 Apr 2022].</ref><br />
<ref name="NICCS">NICCS, "Cybersecurity Certifications," [Online]. Available: hhttps://niccs.cisa.gov/about-niccs/cybersecurity-certifications. [Accessed 30 Apr 2022].</ref> . One possible<br />
approach is to start with basic certificates from the different branches<br />
of service and move to more specific and demanding focused<br />
certification. Also, some jobs require certain clearances, either from<br />
industry, or from the government. One small selection of different<br />
possible certificates is brought out in following paragraphs.<br />
<br />
Security+ is a CompTIA certification that is considered a basic cert<br />
among cybersecurity professionals. It covers the topics of risk<br />
management and threat assessment.<br />
Network+ is also offered by CompTIA this certification (like the name<br />
implies) focuses on networking infrastructure and operations. It is<br />
considered a foundational certification.<br />
The Certified Information Systems Security Professional (CISSP) is a<br />
more advanced certification designed for cybersecurity professionals<br />
with at least five years of work experience. The certification covers<br />
topics such as architecture, engineering, and management.</p><br />
The Certified Ethical Hacker (CEH) certification is also considered a<br />
more advanced cert because it generally requires that applicants have<br />
multiple years of work experience. The goal of an ethical hacker<br />
certification is to be able to understand how cyber attacks unfold in<br />
order to improve threat assessment and mitigation skills.<ref name="cyberguide">Cybersecurity Guide, "How to become a cybersecurity specialist", [Online]. Available: https://cybersecurityguide.org/careers/security-specialist/. [Accessed 27 April 2022].</ref><br />
This is definitely not all, when one looks for more information, following link could be searched, to get more in depth knowledge about<br />
different possibilities.<br />
<br />
Hereby, with the help of this matrix a possible taxonomy of different 436 listed certificates in branches are<br />
presented.<ref name="Pauljeremy">"Cybersecurity Roadmap," [Online]. Available: https://pauljerimy.com/2020/10/12/scr-oct-2020-update/. [Accessed 30 Apr 2022].</ref><br />
<br />
[[File:analystimage5.png|1000px|thumb|Certificate matrix <ref>"Certification roadmap". Available at https://pauljerimy.com/security-certification-roadmap</ref>]]<br />
<br />
=== Communication and Network Security===<br />
Communication and network security covers the ability to secure<br />
communication channels and networks. Topics include secure and converges<br />
protocols, wireless networks, cellular networks, hardware operations<br />
(warranty and redundant power), and third-party connectivity. IP<br />
networking are also included in this domain.<br />
===Identity and Access Management===<br />
The identity and access management domain covers the attacks that<br />
target the human gateway to gain access to data. Other topics include<br />
ways to identify users with rights to access the information and<br />
servers. Identity and access management covers the topics of<br />
applications, Single sign-on authentication, privilege escalation,<br />
Kerberos, rule-based or risk-based access control, proofing and<br />
establishment of identity.<br />
===Security Architecture and Engineering===<br />
The security architecture and engineering domain covers important<br />
topics concerning security engineering plans, designs and principles,<br />
Topics include assessing and mitigating information system<br />
vulnerabilities, fundamental concepts of security models and security<br />
architectures in critical areas like access control. Cloud systems,<br />
cryptography, system infiltrations (ransomware, fault-injection and<br />
more) and virtualized systems are also covered in this domain.<br />
===Asset Security===<br />
The Asset Security domain deals with the issues related to the<br />
collection, storage, maintenance, retention and destruction of data. It<br />
also covers knowledge of different roles regarding data handling (owner,<br />
controller and custodian) as well as data protection methods and data<br />
states. Other topics include resource provision, asset classification<br />
and data lifecycle management.<br />
===Security and Risk Management===<br />
The security and risk management domain covers general on skills<br />
related to the implementation of user awareness programs as well as<br />
security procedures. Emphasis is also placed on risk management<br />
concerning the acquisition of new services, hardware and software<br />
(supply chain). Other skills include social engineering defense<br />
mechanisms.<br />
===Security Assessment and Testing===<br />
The security assessment and testing domain deals with all the<br />
techniques and tools used to find system vulnerabilities, weaknesses and<br />
potential areas of concern not addressed by security procedures and<br />
policies. Attack simulations, vulnerability assessment, compliance<br />
checks, and ethical disclosure also fall under this domain.<br />
===Software Security===<br />
The software development security domain deals with implementing<br />
software-based security protocols within environment for which the IT<br />
professional is responsible. Risk analysis, vulnerability identification<br />
and auditing of source codes are all covered in this subset. Additional<br />
topics include software-designed security, maturity models, development<br />
methodologies, open-source and third-party development security.<br />
===Security operations===<br />
The security operations domain covers topics ranging from<br />
investigations and digital forensic to detection and intrusion<br />
prevention tools, sandboxing and firewalls. Topics include user and<br />
entity behavior analytics, threat intelligence (threat hunting and<br />
threat feeds) log management, artifacts (mobile, computer and network),<br />
machine learning and AI-based tools, penetration testing, and<br />
exploitation development. These for sub-domains are lister here.</p><br />
<li>Forensics</li><br />
<li>Incident Handling</li><br />
<li>Penetration Testing</li><br />
<li>Exploitation</li><br />
<br />
==Education==<br />
[[File:Analystimage7.png|400px|thumb|Comparison degree vs Certificate <ref>"Comparison Table". Available at https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</ref>]]<br />
The entry level monitoring specialist is hired by Estonian<br />
Information System Authority even if there is no formal IT education,<br />
but readiness to learn and moderate knowledge of different operation<br />
systems is enough to start the career. <ref name="cv">cv.ee, "SEIRESPETSIALIST - tule Eesti küberruumi valvuriks!". Available: https://www.cv.ee/en/vacancy/792782/riigi-infosusteemi-amet/seirespetsialist-tule-eesti-kuberruumi-valvuriks [Accessed 28 April 2022].</ref><br />
Nevertheless, like most other high qualification careers jobs falling<br />
under the cybersecurity specialist category require some form of formal<br />
education. However, since cybersecurity specialist jobs can fall across<br />
a wide spectrum of job descriptions and responsibilities, it is possible<br />
to obtain a specialist job after completing many levels of different<br />
computer related education.<br />
<br />
If one is looking for a cybersecurity related education, for example<br />
in EU, 137 courses/programs could be found that relate to keyword IT or<br />
cybersecurity. <ref name="enisa">ENISA (European Union Agency for Cybersecurity), "Cybersecurity Education-Cybersecurity Higher Education Database". Available: https://www.enisa.europa.eu/topics/cybersecurity-education/education-map/education-courses [Accessed 26 April 2022].</ref><br />
<br />
Also, there is a great amount of discussion, if cyber security<br />
professional should have a degree or would be certification just enough.<br />
One interesting table is produces by Franklin University that compares<br />
benefits and/or drawbacks of each type of credential.<ref name="franklin">Franklin University, "Is Getting a Master's Degree in Cyber Security Worth It?". Available: https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it [Accessed 28 April 2022].</ref><br />
<br />
Certifications are generally good for people with little practical<br />
experience because they are known quantities in the industry and can<br />
help you get your foot in the door. They set a minimum knowledge bar.<br />
But some certifications are viewed more favorably than others.<br />
Certifications with renewal requirements are viewed better by hiring<br />
managers, but they also more costly in the long run because of the need<br />
for continuing education. Certifications are also good for showing<br />
in-depth expertise in a specialization within cybersecurity. Depending<br />
on your career goals, it may be advantageous to have a master’s<br />
degree—which shows your breadth of knowledge, critical thinking and<br />
leadership skills—and a certificate—which shows specific skill<br />
competency.<ref name="franklin"></ref><br />
As IT (Cyber) Security is still a relatively young discipline,<br />
universities and colleges are still figuring out which is the best<br />
approach for their degrees. Study programmes and curricula in Cyber<br />
Security are different. In general, here are the duration of Cyber<br />
Security degrees:<br />
<ref name="studyportal">Studyportals, "Why You Should Study a Cyber Security Degree in 2022". Available: https://www.mastersportal.com/articles/2722/why-you-should-study-a-cyber-security-degree-in-2022.html [Accessed 28 April 2022].</ref><br />
<ul><br />
<li><p>Bachelor’s degrees in Cyber Security take 3 or 4 years in most<br />
countries.</p></li><br />
<li><p>Master’s courses in Cyber Security take between 1-2 years to<br />
complete.</p></li><br />
<li><p>PhD programmes in Cyber Security last 3-5 years. Some only take 1<br />
or 2 years, but they are less common.</p><br />
</li><br />
</ul><br />
<br />
Generalization could me made that on bachelor level the general<br />
knowledge about the cyber issues are obtained. On master level the<br />
specialization courses are taken and the person can choose more specific<br />
topics to study. It is on master level where strengths of the cyber<br />
specialist can be developed further and up-do date knowledge obtained in<br />
specifics. PhD is serious science and involves teaching, lot of<br />
scientific work and writing for publications.<br />
<br />
==Salary==<br />
<p>Even if the salary can be very different, compared to the skills and<br />
experience, an generalization can be made. Cyber Security professionals<br />
in CSIRT, and in other entities earn quite well, from the start. First,<br />
some comparison from the United States. The average CSIRT analyst salary<br />
in the USA is $97,500 per year or $50 per hour. Entry level positions<br />
start at $48,875 per year while most experienced workers make up to<br />
$135,373 per year.<ref name="talent">talent.com, "Csirt Analyst average salary in USA 2022". Available: https://www.talent.com/salary?job=csirt+analyst [Accessed 28 April 2022].</ref><br />
<br />
There are multiple positions you can occupy in this field. They have<br />
in common great salaries and high demand for technical skills, attention<br />
to details, problem-solving mentality, and the ability to analyze risks.<br />
Here are the average annual salaries in the United States, according to<br />
Payscale: <ref name="studyportal"></ref><br />
<ul><br />
<li><p>Cryptographer – 100,000 USD</p></li><br />
<li><p>Information Security Officer – 91,000 USD</p></li><br />
<li><p>Security Assessor – 90,000 USD</p></li><br />
<li><p>Security Engineer – 88,000 USD</p></li><br />
<li><p>Penetration Tester – 81,000 USD</p></li><br />
<li><p>Forensics Expert – 71,000 USD</p></li><br />
<li><p>Security Administrator – 65,000 USD</p><br />
</ul><br />
When looking into salaries in Estonia, one can find that there is a<br />
discussion that private sector is taking a toll from the public sector,<br />
and that the salaries in important agencies, as Information System<br />
Authority loose their employees to the better paid positions in private<br />
sector.<ref name="digigeenius">DiGi Geenius, "Kui-palju-riigi-jaoks-olulised-it-tootajad-tegelikult-palka-saavad". Available: https://digi.geenius.ee/rubriik/uudis/kui-palju-riigi-jaoks-olulised-it-tootajad-tegelikult-palka-saavad/ [Accessed 28 April 2022].</ref><br />
<ref name="tehnika">Postimees, "Riigi-it-tootajate-palgamaarad-kasvasid". Available: https://tehnika.postimees.ee/6887428/riigi-it-tootajate-palgamaarad-kasvasid [Accessed 28 April 2022].</ref><br />
But there is also a different view that average private sector worker<br />
could be hired as a top specialist in public sector and then the payment<br />
is higher. Nevertheless, it seems that the average payment in cyber<br />
security sector is any way higher that in other parts of the<br />
e-services. <ref name="digigeenius2">DiGi Geenius, "5000-eurostest-palkadest-it-tootajad-saavadki-palju-palka". Available: https://digi.geenius.ee/rubriik/uudis/5000-eurostest-palkadest-it-tootajad-saavadki-palju-palka [Accessed 28 April 2022].</ref><br />
<br />
==SOC==<br />
<p>A SOC is a facility where an organization’s network, applications,<br />
and endpoints are monitored and defended. The term was adapted from<br />
network operations centers (NOCs), where large telecommunication or<br />
corporate networks are monitored. When network security became more of a<br />
concern, security teams were formed within the NOCs, and eventually spun<br />
off into larger organizations of their own as the responsibilities of<br />
security teams grew increasingly complex and specialized. The security<br />
staff working in a security operations center are often called the SOC<br />
team.<ref name="exabeam">Exabeam, "CSIRT". Available: https://www.exabeam.com/incident-response/csirt/ [Accessed 28 APr 2022].</ref><br />
<br />
<p>Functions of the SOC team include, but are not limited to:<ref name="trellix">Trellix, "What Is a Security Operations Center (SOC)?". Available: https://www.trellix.com/en-us/security-awareness/operations/what-is-soc.html [Accessed 30 APr 2022].</ref></p><br />
<ol type="1"><br />
<li>Taking inventory of resources, to get a better understanding of the<br />
structure they are protecting.</li><br />
<li>Maintanence of the system, by constantly making updates and adding<br />
safeguards.</li><br />
<li>Monitoring the network for abnormalities with special tools.</li><br />
<li>Threat analysis of new attacks and vulnerabilities.</li><br />
<li>Responding to attacks, by acting as “first responders”. The SOC team<br />
will shut down and/or isolate endpoints, deleting files and lowering the<br />
impact as fast as possible.</li><br />
<li>Recovery of system stability and lost data. This may be done using<br />
backups, restarting endpoints or reconfiguring systems.</li><br />
<li>Logging all actions on the system, to be later used for analysis or<br />
forensics after an attack.</li><br />
<li>Investigating the root cause of an attack.</li><br />
<li>Auditing their own actions, to be in line with regulations of the<br />
organization, industry or governing body.</li><br />
</ol><br />
<br />
==CSIRT==<br />
<p>A CSIRT is a group that responds to security incidents when they<br />
occur. Key responsibilities of a CSIRT include:<br />
<ref name="exabeam"></ref><br />
===Creating and maintaining an incident response plan (IRP)===<br />
An incident response plan (IRP) is a set of written instructions for<br />
detecting, responding to and limiting the effects of an information<br />
security event. Incident response plans provide instructions for<br />
responding to many potential scenarios, including data breaches, denial<br />
of service/distributed denial of service attacks, firewall breaches,<br />
virus or malware outbreaks or insider threats. Without an incident<br />
response plan in place, organizations may either not detect the attack<br />
in the first place, or not follow proper protocol to contain the threat<br />
and recover from it when a breach is detected.<br />
<ref name="stratacore">Stratacore, "Incident Response Plan (IRP)". https://www.stratacore.com/incidentresponseplan [Accessed 28 April 2022].</ref><br />
<br />
===Investigating and analyzing incidents===<br />
CSIRTs are also involved in improvement activities. After major<br />
computer security incidents occur, or when incidents are not handled in<br />
a timely or effective manner, a CSIRT will generally perform a<br />
postmortem of the incident and its response. This postmortem will<br />
identify the strengths and weakness of the response effort. Such reviews<br />
can identify weaknesses and holes in systems, infrastructure defenses,<br />
or policies that allowed the incident to take place. It can also<br />
identify problems with communication channels, interfaces, and<br />
procedures that inhibited the efficient resolution of the reported<br />
problem.<br />
<ref name="cisa">CISA (Cybersecurity & Infrastructure Security Agency, "Defining Computer Security Incident Response Teams". https://www.cisa.gov/uscert/bsi/articles/best-practices/incident-management/defining-computer-security-incident-response-teams [Accessed 28 April 2022].</ref><br />
<br />
===Managing internal communications and updates during or immediately after incidents occur===<br />
===Communicating with employees, shareholders, customers, and the press about incidents as needed===<br />
There are various services within the CSIRT Services Framework that<br />
address communications, as they relate to security operations and<br />
incident response services. Some of these include Information Security<br />
Incident Coordination, Crisis Management Support, Vulnerability<br />
Disclosure, Situational Awareness Communication, and Awareness Building,<br />
to name a few. Sharing information and communicating with the general<br />
public and/or your constituency is appropriate in many different<br />
scenarios. These can range from proactive communications to reactive<br />
communications. Each scenario may be unique, and careful consideration<br />
should be given to when to release information to the public and what<br />
information should be released.<br />
<ref name="CMUni">Carniege Mellon University, Brittany Manley, David McIntire "A Guide to Effective Incident Management Communications". https://resources.sei.cmu.edu/asset_files/Handbook/2021_002_001_651819.pdf [Accessed 28 April 2022].</ref><br />
<br />
===Remediating incidents===<br />
Threat remediation is a strong and capable tool for fighting the<br />
cyber security compromises. As the word ‘remedy’ suggests, remediation<br />
process involves the treatment of a security breach. With the<br />
remediation practices, your cyber security team is able to eliminate<br />
suspicious activities and malicious attacks in the form of malware,<br />
ransomware, phishing and such. Even if you ‘kill’ the suspicious<br />
activity, the attackers can remain in your systems. If you want to<br />
contaminate and end the problem for good, your remediation processes<br />
must involve the detection of the cause. <ref name="logsign">Logsign, "What-is-remediation-in-cyber-security". Available: https://www.logsign.com/blog/what-is-remediation-in-cyber-security/. [Accessed 28 Apr 2022].</ref><br />
<br />
===Recommending technology, policy, governance, and training changes after security incidents===<br />
After all these actions, the SCIRT must contribute to the development<br />
of better policies, practices and has to recommend improvements. They<br />
are not working in the vacuum and their work has to create new and<br />
better standards for cyber security. <ref name="exabeam">Exabeam, "CSIRT". Available: https://www.exabeam.com/incident-response/csirt/ [Accessed 28 APr 2022].</ref><br />
<br />
==CERT==<br />
The term “computer emergency response team” was coined in 1988. In<br />
response to the Morris worm attack that impacted thousands of servers on<br />
the Internet, DARPA funded the formation of the Computer Emergency<br />
Response Team Coordination Center (CERT-CC) at Carnegie Mellon<br />
University. The goal of CERT-CC was to help protect the internet by<br />
collecting and disseminating information on critical security<br />
vulnerabilities. Several other countries formed similar centers using<br />
the same acronym (despite threats of legal action by Carnegie Mellon for<br />
trademark infringement). Now the term CERT refers to any emergency<br />
response team that deals with cyber threats. Many people use CERT-CC<br />
interchangeably with CSIRT, though the charter of a CERT is information<br />
sharing in order to help other response teams respond to threats against<br />
their own infrastructure. <ref name="exabeam"></ref><br />
<br />
In general, the designation of CERT is helpful in applying real-world<br />
solutions to various cybersecurity problems. They may be government<br />
contractors or employees of a major corporation. For example, the U.S.<br />
Computer Emergency Readiness Team (US-CERT) operates under the U.S.<br />
Department of Homeland Security.<br />
<ref name="techopedia">Techopedia, "Computer Emergency Response Team (CERT)". Available: https://www.techopedia.com/definition/31003/computer-emergency-response-team-cert. [Accessed 25 April 2022].</ref><br />
<br />
In Estonia CERT is designated as CERT-EE. It was established in 2006,<br />
as an organization responsible for the management of security incidents<br />
in .ee computer networks. It is also a national contact point for<br />
international co-operation in the field of IT security. <ref name="ria">Information System Autority, "CERT-EE". Available: hhttps://www.ria.ee/en/cyber-security/cert-ee.html [Accessed 25 April 2022].</ref><br />
<br />
==Difference between SOC/CSIRT/CERT==<br />
[[File:analystimage3.png|300px|thumb|SOC/CSIRT/CERT <ref name="exabeam></ref>]]<br />
How CSIRTs differ from CERTs and SOCs. There are overlapping<br />
responsibilities between a community emergency response team (CERT),<br />
computer security incident response team (CSIRT), and security<br />
operations center (SOC). To add to this confusion, frequently, the terms<br />
CERT and CSIRT are used interchangeably, despite the important<br />
differences. <ref name="exabeam"></ref><br />
<br />
==Understand the primary roles and characteristics of a CERT, CSIRT, and SOC.==<br />
[[File:analystimage4.png|600px|thumb|Primary Roles of CERT, CSIRT, and SOC<ref name="exabeam></ref>]]<br />
<p>So, using strict definitions, a CERT collects and disseminates<br />
security information, typically for the benefit of a country or an<br />
industry. A CSIRT is a cross-functional team that responds to incidents<br />
on behalf of a country or an organization. A SOC is where a country or<br />
organization monitors and defends its network, servers, applications,<br />
and endpoints. <ref name="exabeam"></ref><br />
<br />
==Future==<br />
<p>And the Cyber security problem is only getting bigger. According to a<br />
report published by Accenture, the number of cyber security breaches<br />
increased by 11 percent from 2017 to 2018. The cost of such breaches is<br />
astronomical–about $600 billion worldwide, according to the Economic<br />
Impact of Cybercrime report.</p><br />
<p>https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me</p><br />
<p>Job projections for cybersecurity are staggering. The Bureau of Labor<br />
Statistics in US predicts that careers in the cybersecurity field will<br />
grow by 32% by 2028. That makes cybersecurity one of the top 10<br />
fastest-growing jobs in the country. In the United States alone, jobs<br />
for Information Security Analysts are expected to grow by 15% by<br />
2024.</p><br />
<p>https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</p><br />
<p>Most likely this trend is also similar in other countries.</p><br />
<p>When checking Estonian job portals, there is a constant need for<br />
people for cyber security related positions. Also, linkedin search gives<br />
approximately 30 vacancies immediately. There are banks, logistics<br />
companies, e-shops, and software producers.</p><br />
<p>https://ee.linkedin.com/jobs/cyber-security-jobs?countryRedirected=1&amp;position=1&amp;pageNum=0</p><br />
<p>Trends that affect companies create need for constant cyber security<br />
services. Increasing number of home/remote offices require secure<br />
corporate networks and security of remote devices. One example is from<br />
this year, when sloppy remote desktop set-up paralyzed systems of 17<br />
companies.</p><br />
<p>https://www.aripaev.ee/uudised/2022/04/20/ria-lohakas-kaugtoolaua-seadistus-halvas-martsis-vahemalt-17-juhul-ettevotete-it-susteemid</p><br />
<p>Also, no service can exists without robust infrastructure - servers,<br />
databases, applications. As all previously mentioned devices and<br />
services are at constant scanning and surveillance. So, the breach<br />
detection and immediate action demands 24/7 services. Even if lot of<br />
things could be automated, there is a need for human specialists (at<br />
least, at the moment). Third growing field is also a forensic<br />
investigation, as every attack must be investigated in order to be ready<br />
to repel next attacks. So data recovery and evidence collection is<br />
another important field of work that need skilled and professional<br />
workers.</p><br />
<p>Even, if the specifics of the entity, be it CSIRT, CERT or SOC, are<br />
different, the fundamentals of the work are the same. Professional<br />
knowledge of the networks, operational systems, hardware, scripting, and<br />
several other wider IT related knowledge is needed. As there is no<br />
single way to reach to it, every single person can find one’s strongest<br />
sides and develop them with knowledge of weaker side, in order to know,<br />
when to as for help.</p><br />
<br />
</body><br />
</html></div>Mavaldhttps://wiki.itcollege.ee/index.php?title=Hiring_a_Cyber_Security_Incident_Analyst&diff=142276Hiring a Cyber Security Incident Analyst2022-05-01T16:10:41Z<p>Mavald: /* Investigating and analyzing incidents */</p>
<hr />
<div>==A Cyber Security Incident Analyst==<br />
<br />
[[File:image1.png|600px|thumb|Job advertisement <ref>"Job Advertisement". Available at https://www.projectpeople.com/jobs/</ref>]]<br />
===Cyber security incident analyst in SOC/CSIRT/CERT===<br />
This article delves into the job title of Cyber Security Incident<br />
Analyst and provides an overview of the acronyms SOC/CSIRT/CERT. A brief<br />
history of the job is discussed here, as well as a possible career path,<br />
education, experience, and other characteristics required for work in<br />
computer security-related organizations. The article also provides a<br />
brief history of SOC/CSIRT/CERT, as well as a comparison of their<br />
differences and similarities.<br />
===Cyber Security Incident Analyst Skill Set===<br />
What skill set is expected from the Cyber Security Incident Analyst? Below written lines are taken from the same job advertisement depicted<br />
on the left side of this article:<br />
As a Security Incident Analyst your responsibilities will include:<br />
<ul><br />
<li>Continuous monitoring of security tooling</li><br />
<li>Performing regular and ad-hoc vulnerability assessments</li><br />
<li>Carrying out ‘spot checks’</li><br />
<li>Reporting vulnerabilities to the PVG via the alerts system</li><br />
<li>Maintaining and documenting logging systems</li><br />
<li>Developing centralized logging, reporting and intelligence<br />
platforms</li><br />
<li>‘Light touch’ penetration testing with open source tooling<br />
(Metasploit)</li><br />
</ul><br />
Knowledge &amp; Experience required:<br />
<ul><br />
<li>SOC, CSIRT or CERT operational environment experience</li><br />
<li>Windows / Linux experience</li><br />
<li>TCP /IP networking protocol knowledge</li><br />
<li>Experience reviewing and analyzing Security Events from various<br />
monitoring and logging sources</li><br />
<li>Experience in website and web application security assessment or<br />
penetration testing</li><br />
<li>Experience of using Metasploit</li><br />
<li>Scripting knowledge using BASH, Python, Perl, Ruby</li><br />
<li>Skills in Host and Network Forensics</li><br />
</ul><br />
As one can see the description of the duties is wide and also the<br />
knowledge and experience that is required is noteworthy. So, where to<br />
start to find out the way to get this kind of knowledge and<br />
expertize.<br />
===Possible career path===<br />
Next part of the paper is aiming to depict a possible ways, how to<br />
develop oneself, and move along the career pathway in cybersecurity<br />
field. Topics of development, education, experience and certification<br />
are covered.<br />
[[File:analystimage2.png|1000px|thumb|Career path <ref>"Possible Career Path". Available at https://www.cyberseek.org/pathway.html</ref>]]<br />
<br />
===Junior/Senior===<br />
Start with an entry-level job in IT. Hands-on experience is often the<br />
most effective way to prepare for certification exams. Start<br />
accumulating work experience with an entry-level role as a cybersecurity<br />
analyst. Many cybersecurity professionals start off in more general IT<br />
roles. The skills, practices, and technologies you’ll use as a<br />
cybersecurity professional will continue to evolve along with computer<br />
and network technology. The desire to learn, ability to problem solve,<br />
and attention to detail will serve you well in this field. Other, more<br />
technical skills and technologies to learn include:<ref name="certification">Popular Cyber Security Certificates [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications [Accessed 25 April 2022].</ref><br />
<br />
====SIEM tools (security information and event management)====<br />
Security Information and Event Management (SIEM) is a set of tools<br />
and services offering a holistic view of an organization’s information<br />
security. SIEM works by combining two technologies:<br />
<li>Security information management (SIM), which collects data from log<br />
files for analysis and reports on security threats and events, and</li><br />
<li>security event management (SEM), which conducts real-time system<br />
monitoring, notifies network admins about important issues and<br />
establishes correlations between security events. There are a number of<br />
security information and event management solutions on the market.<br />
ArcSight ESM, IBM QRadar and Splunk are among the most popular. <ref name="SIEM">Application security, SIEM [Online]. Available: https://www.imperva.com/learn/application-security/siem/. [Accessed 27 4 2022].</ref></li><br />
<br />
====Firewalls, Intrusion Detection Systems (IDS), and Intrusion Prevention Systems(IPS)====<br />
Firewalls can be two types, hardware and software firewalls. Software<br />
firewall is a firewall that is installed on a computer or server, and<br />
tasked with network security. It works with a wide variety of other<br />
technology security solutions to provide more robust and cohesive<br />
security for enterprises of all sizes. When a software firewall is<br />
installed on a server, it opens up like an umbrella of protection over<br />
all other computers connected to the network. It is able to monitor both<br />
incoming and outgoing traffic for potential risk or suspicious user<br />
behavior, and also makes setting security policies much easier, faster<br />
and more flexible. Hardware firewall is positioned between the network<br />
and devices, allowing traffic to funnel through the firewall for a close<br />
inspection and analysis. A hardware firewall, a term often<br />
interchangeable with network or next-generation firewall, protects the<br />
network gateways for an enterprise. Hardware firewall is physical<br />
hardware, installed between network elements and connected devices, and<br />
is tasked with filtering traffic for cyber threat to the network or<br />
devices. Filtering out unauthorized or suspicious users based on traffic<br />
analysis is one of the biggest benefits of hardware firewall. <ref name="sangfor">Sangfor, "What is Software Firewall? Difference between Hardware Firewall and Software Firewall, [Online]. Available: https://www.sangfor.com/blog/cybersecurity/what-is-software-firewall-difference-between-hardware-firewall-and-software-firewall [Accessed 26 4 2022].</ref><br />
<br />
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems<br />
(IPS) are both parts of the network infrastructure. IDS/IPS compare<br />
network packets to a cyberthreat database containing known signatures of<br />
cyberattacks — and flag any matching packets. IDS doesn’t alter the<br />
network packets in any way, whereas IPS prevents the packet from<br />
delivery based on the contents of the packet, much like how a firewall<br />
prevents traffic by IP address. <ref name="Varonis">Varonis, "What is Software Firewall? IDS vs. IPS: What is the Difference?, [Online]. Available: https://www.varonis.com/blog/ids-vs-ips [Accessed 26 4 2022].</ref><br />
<br />
====Digital forensics====<br />
Digital forensics is a branch of forensic science that focuses on<br />
identifying, acquiring, processing, analyzing, and reporting on data<br />
stored electronically. Electronic evidence is a component of almost all<br />
criminal activities and digital forensics support is crucial for law<br />
enforcement investigations. Electronic evidence can be collected from a<br />
wide array of sources, such as computers, smartphones, remote storage,<br />
unmanned aerial systems, shipborne equipment, and more.<ref name="interpol">Interpol, "Digital forensics". Available: https://www.interpol.int/How-we-work/Innovation/Digital-forensics. [Accessed 28 4 2022].</ref> <br />
Investigative process of digital forensics can be divided into several stages. There are four major stages: preservation, collection,<br />
examination, and analysis. All these four stages need a deep understanding of computers, technology across a broad spectrum, and cybersecurity principles and<br />
practices, a working knowledge of computers, networks, and coding, in-depth investigative abilities, critical-thinking skills and analytical talent the ability to effectively communicate and work with a<br />
wide range of people. <ref name="ecpi">"Digital forensics". Available: https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me. [Accessed 26 4 2022].</ref><br />
<br />
====Mobile device management====<br />
Mobile device management (MDM) is software that allows IT<br />
administrators to control, secure and enforce policies on smartphones,<br />
tablets and other endpoints. Mobile device management software emerged<br />
in the early 2000s as a way to control and secure the personal digital<br />
assistants and smartphones that business workers began to use. The<br />
consumer smartphone boom that started with the launch of the Apple<br />
iPhone in 2007 led to the bring your own device (BYOD) trend, which<br />
fueled further interest in MDM.<ref name="techtarget">Techtarget, "Mobile Device Management". Available: https://www.techtarget.com/searchmobilecomputing/definition/mobile-device-management [Accessed 27 4 2022].</ref><br />
<br />
====Data management====<br />
Sometimes the data management is neglected, but this part has a<br />
crucial role when learning for good cyber security practices. Majority<br />
of cyber security programs include a special courses on data management.<br />
Data management is a method of organizing and maintaining data processes<br />
that are required in almost every business operations. The benefits of<br />
data management can be found accounting, statistics, logistics planning<br />
and other disciplines including corporate computing.<ref name="GlobalUni">Global Universities, "MSc Data Management and Cyber Security". Available: https://globaluniversities.in/msc-data-management-cyber-security. [Accessed 26 Apr 2022].</ref><br />
Data governance (and management) play a fundamental role in<br />
protecting an organization’s data. Ensuring that the right people have<br />
the right access and that appropriate security controls are in place to<br />
protect each system or service, based on the criticality or sensitivity<br />
of the data sets these contain. <ref name="CyberMagazine">Cyber Security Magazine, "The Role of Data Governance in Cybersecurity". Available: https://cybersecurity-magazine.com/the-role-of-data-governance-in-cybersecurity/?utm_source=rss&amp;utm_medium=rss&amp;utm_campaign=the-role-of-data-governance-in-cybersecurity. [Accessed 26 Apr 2022].</ref><br />
<br />
====Application security development====<br />
Application security describes security measures at the application<br />
level that aim to prevent data or code within the app from being stolen<br />
or hijacked. It encompasses the security considerations that happen<br />
during application development and design, but it also involves systems<br />
and approaches to protect apps after they get deployed. Application<br />
security may include hardware, software, and procedures that identify or<br />
minimize security vulnerabilities.<ref name="vmware">VmWare, "What is application security?". Available: https://www.vmware.com/topics/glossary/content/application-security.html [Accessed 28 April 2022].</ref><br />
Application security development is important to ensure that your<br />
application is free from coding errors and bugs. And controls the risk<br />
and helps safeguard against security vulnerabilities. Application<br />
security development is the process of making applications more secure<br />
by finding and fixing security vulnerabilities. This is often done by<br />
enforcing software security best practices and using application<br />
security testing tools. <br />
<ref name="perforce">Perforce, "Application Security Development Best Practices". Available: https://www.perforce.com/blog/kw/application-security-development-best-practices. [Accessed 28 April 2022].</ref><br />
<br />
====Audit and compliance knowledge====<br />
A cyber security audit is designed to be a comprehensive review and<br />
analysis of your business’s IT infrastructure. It identifies threats and<br />
vulnerabilities, exposing weaknesses and high-risk practices.<br />
Regulations such as the EU GDPR (General Data Protection Regulation) can<br />
impose hefty penalties in the event of a breach that results in<br />
exploited data. A cyber security audit will help mitigate the<br />
consequences of a breach and demonstrate that your organization has<br />
taken the necessary steps to protect client and company data. <ref name="cyforsecure">Cyfor Secure, "What is a Cyber Security Audit and how can it help your organisation?". Available: https://cyforsecure.co.uk/services/cyber-assessment/cyber-security-audit/. [Accessed 28 April 2022].</ref><br />
<br />
Cybersecurity compliance is the organizational risk management method<br />
aligned with pre-defined security measures &amp; controls on how data<br />
confidentiality is ensured by its administrative procedures.<ref name="nordlayer">NordLayer, "Cybersecurity compliance: Everything you need to know". Available: https://nordlayer.com/blog/cybersecurity-compliance-everything-you-need-to-know/. [Accessed 28 April 2022].</ref><br />
All needed skills are developed through courses and certification.<br />
<br />
===Entry-Level Incident Response Positions===<br />
It is not always possible to advance to the position of incident<br />
responder in a straight line. Many professionals advance from entry- to<br />
mid-level positions before becoming a real incident responder or a<br />
member of a computer emergency response team (CERT).<br /><br />
These are some examples: <ref name="Infosec">Infosec, "Incident Responder Career Roadmap: From Entry Level to Executive". Available: https://resources.infosecinstitute.com/topic/incident-responder-career-roadmap-entry-level-executive/ [Accessed 28 April 2022].</ref></p><br />
<ul><br />
<li><h5 id="network-administrator">Network administrator</h5><br />
<p>This position’s experience will help potential incident responders<br />
develop networking skills. Attention to detail, as well as the ability<br />
to sift through system configurations, site layouts, and general network<br />
and communication setups, are essential in this field.</p></li><br />
<li><h5 id="system-administrator">System administrator</h5><br />
<p>Another crucial beginning point for an incident responder is to learn<br />
how to manage resources inside your organization as well as user<br />
behavior. Understanding the potential damage that users, inadequate<br />
security setups, and ineffective IT policies and procedures can cause on<br />
your network can provide prospective candidates with insight into the<br />
human component of an incident.</p></li><br />
<li><h5 id="security-administrator">Security administrator</h5><br />
<p>In such a position, basic hacking skills, penetration testing, and<br />
intrusion detection are all learned, which are crucial incident<br />
responder skills when trying to replicate a breach or attack.<br />
Understanding the paths a cybercriminal will take when attempting to<br />
damage or obtain access to a system can greatly simplify the work of<br />
reverse engineering the incident.</p></li><br />
</ul><br />
<br />
=== Mid-Level Incident Response Positions ===<br />
<ul><br />
<li><h5<br />
id="computer-security-incident-response-team-csirt-engineer">Computer<br />
security incident response team (CSIRT) engineer</h5></li><br />
<li><h5 id="cyber-incident-responder">Cyber incident responder</h5></li><br />
<li><h5 id="incident-response-engineer">Incident response<br />
engineer</h5></li><br />
</ul><br />
<p>While each of these positions is different, they generally require<br />
very similar skills and characteristics in a candidate. At this level,<br />
personal characteristics such as problem solving, time management, and<br />
even presentation skills become more crucial as one’s career evolves<br />
into a management-facing role.</p><br />
<p>Technical skills include the ability to identify and minimize threats<br />
while maintaining communication with management and the rest of your<br />
team. Data analysis and evidence gathering become increasingly crucial,<br />
and the circumstances in which your services are deployed get more<br />
serious.</p><br />
Problem-solving skills are crucial at this level of incident<br />
response, and as the stakes rise, so does the pressure in each<br />
situation. At this level, programming abilities are essential since<br />
incident responders may be needed to reverse engineer malicious code or<br />
even create patches for vulnerable network applications or services. <ref name="coursera">Coursera, "10 Popular Cybersecurity Certifications [2022 Updated]". Available: https://www.coursera.org/articles/popular-cybersecurity-certifications [Accessed 28 April 2022].</ref><br />
<br />
===Senior-Level Incident Response Positions===<br />
<ul><br />
<li><h5 id="intrusion-detection-specialist">Intrusion detection<br />
specialist:</h5></li><br />
</ul><br />
<p>A CISSP certification might help a potential candidate in preparing<br />
for the profession. The role of an intrusion detection specialist is to<br />
find and stop any unwanted communications.</p><br />
<ul><br />
<li><h5 id="incident-manager">Incident manager:</h5></li><br />
</ul><br />
Expected to plan, oversee, manage, and supervise all incident<br />
response team actions. Is in charge of reporting all current events to<br />
senior management and stakeholders, as well as acting as the technical<br />
lead on active incidents for incident responders. Prepares threat and<br />
impact assessments and reports them known to management.<ref name="coursera"></ref><br />
<br />
==Certificates== <br />
There is a vast number of different certificates and the road map to<br />
being a certified professional could be very different<ref name="Coursera">Coursera, "10 Popular Cybersecurity Certifications [2022 Updated]," [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications. [Accessed 30 Apr 2022].</ref><br />
<ref name="NICCS">NICCS, "Cybersecurity Certifications," [Online]. Available: hhttps://niccs.cisa.gov/about-niccs/cybersecurity-certifications. [Accessed 30 Apr 2022].</ref> . One possible<br />
approach is to start with basic certificates from the different branches<br />
of service and move to more specific and demanding focused<br />
certification. Also, some jobs require certain clearances, either from<br />
industry, or from the government. One small selection of different<br />
possible certificates is brought out in following paragraphs.<br />
<br />
Security+ is a CompTIA certification that is considered a basic cert<br />
among cybersecurity professionals. It covers the topics of risk<br />
management and threat assessment.<br />
Network+ is also offered by CompTIA this certification (like the name<br />
implies) focuses on networking infrastructure and operations. It is<br />
considered a foundational certification.<br />
The Certified Information Systems Security Professional (CISSP) is a<br />
more advanced certification designed for cybersecurity professionals<br />
with at least five years of work experience. The certification covers<br />
topics such as architecture, engineering, and management.</p><br />
The Certified Ethical Hacker (CEH) certification is also considered a<br />
more advanced cert because it generally requires that applicants have<br />
multiple years of work experience. The goal of an ethical hacker<br />
certification is to be able to understand how cyber attacks unfold in<br />
order to improve threat assessment and mitigation skills.<ref name="cyberguide">Cybersecurity Guide, "How to become a cybersecurity specialist", [Online]. Available: https://cybersecurityguide.org/careers/security-specialist/. [Accessed 27 April 2022].</ref><br />
This is definitely not all, when one looks for more information, following link could be searched, to get more in depth knowledge about<br />
different possibilities.<br />
<br />
Hereby, with the help of this matrix a possible taxonomy of different 436 listed certificates in branches are<br />
presented.<ref name="Pauljeremy">"Cybersecurity Roadmap," [Online]. Available: https://pauljerimy.com/2020/10/12/scr-oct-2020-update/. [Accessed 30 Apr 2022].</ref><br />
<br />
[[File:analystimage5.png|1000px|thumb|Certificate matrix <ref>"Certification roadmap". Available at https://pauljerimy.com/security-certification-roadmap</ref>]]<br />
<br />
=== Communication and Network Security===<br />
Communication and network security covers the ability to secure<br />
communication channels and networks. Topics include secure and converges<br />
protocols, wireless networks, cellular networks, hardware operations<br />
(warranty and redundant power), and third-party connectivity. IP<br />
networking are also included in this domain.<br />
===Identity and Access Management===<br />
The identity and access management domain covers the attacks that<br />
target the human gateway to gain access to data. Other topics include<br />
ways to identify users with rights to access the information and<br />
servers. Identity and access management covers the topics of<br />
applications, Single sign-on authentication, privilege escalation,<br />
Kerberos, rule-based or risk-based access control, proofing and<br />
establishment of identity.<br />
===Security Architecture and Engineering===<br />
The security architecture and engineering domain covers important<br />
topics concerning security engineering plans, designs and principles,<br />
Topics include assessing and mitigating information system<br />
vulnerabilities, fundamental concepts of security models and security<br />
architectures in critical areas like access control. Cloud systems,<br />
cryptography, system infiltrations (ransomware, fault-injection and<br />
more) and virtualized systems are also covered in this domain.<br />
===Asset Security===<br />
The Asset Security domain deals with the issues related to the<br />
collection, storage, maintenance, retention and destruction of data. It<br />
also covers knowledge of different roles regarding data handling (owner,<br />
controller and custodian) as well as data protection methods and data<br />
states. Other topics include resource provision, asset classification<br />
and data lifecycle management.<br />
===Security and Risk Management===<br />
The security and risk management domain covers general on skills<br />
related to the implementation of user awareness programs as well as<br />
security procedures. Emphasis is also placed on risk management<br />
concerning the acquisition of new services, hardware and software<br />
(supply chain). Other skills include social engineering defense<br />
mechanisms.<br />
===Security Assessment and Testing===<br />
The security assessment and testing domain deals with all the<br />
techniques and tools used to find system vulnerabilities, weaknesses and<br />
potential areas of concern not addressed by security procedures and<br />
policies. Attack simulations, vulnerability assessment, compliance<br />
checks, and ethical disclosure also fall under this domain.<br />
===Software Security===<br />
The software development security domain deals with implementing<br />
software-based security protocols within environment for which the IT<br />
professional is responsible. Risk analysis, vulnerability identification<br />
and auditing of source codes are all covered in this subset. Additional<br />
topics include software-designed security, maturity models, development<br />
methodologies, open-source and third-party development security.<br />
===Security operations===<br />
The security operations domain covers topics ranging from<br />
investigations and digital forensic to detection and intrusion<br />
prevention tools, sandboxing and firewalls. Topics include user and<br />
entity behavior analytics, threat intelligence (threat hunting and<br />
threat feeds) log management, artifacts (mobile, computer and network),<br />
machine learning and AI-based tools, penetration testing, and<br />
exploitation development. These for sub-domains are lister here.</p><br />
<li>Forensics</li><br />
<li>Incident Handling</li><br />
<li>Penetration Testing</li><br />
<li>Exploitation</li><br />
<br />
==Education==<br />
[[File:Analystimage7.png|400px|thumb|Comparison degree vs Certificate <ref>"Comparison Table". Available at https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</ref>]]<br />
The entry level monitoring specialist is hired by Estonian<br />
Information System Authority even if there is no formal IT education,<br />
but readiness to learn and moderate knowledge of different operation<br />
systems is enough to start the career. <ref name="cv">cv.ee, "SEIRESPETSIALIST - tule Eesti küberruumi valvuriks!". Available: https://www.cv.ee/en/vacancy/792782/riigi-infosusteemi-amet/seirespetsialist-tule-eesti-kuberruumi-valvuriks [Accessed 28 April 2022].</ref><br />
Nevertheless, like most other high qualification careers jobs falling<br />
under the cybersecurity specialist category require some form of formal<br />
education. However, since cybersecurity specialist jobs can fall across<br />
a wide spectrum of job descriptions and responsibilities, it is possible<br />
to obtain a specialist job after completing many levels of different<br />
computer related education.<br />
<br />
If one is looking for a cybersecurity related education, for example<br />
in EU, 137 courses/programs could be found that relate to keyword IT or<br />
cybersecurity. <ref name="enisa">ENISA (European Union Agency for Cybersecurity), "Cybersecurity Education-Cybersecurity Higher Education Database". Available: https://www.enisa.europa.eu/topics/cybersecurity-education/education-map/education-courses [Accessed 26 April 2022].</ref><br />
<br />
Also, there is a great amount of discussion, if cyber security<br />
professional should have a degree or would be certification just enough.<br />
One interesting table is produces by Franklin University that compares<br />
benefits and/or drawbacks of each type of credential.<ref name="franklin">Franklin University, "Is Getting a Master's Degree in Cyber Security Worth It?". Available: https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it [Accessed 28 April 2022].</ref><br />
<br />
Certifications are generally good for people with little practical<br />
experience because they are known quantities in the industry and can<br />
help you get your foot in the door. They set a minimum knowledge bar.<br />
But some certifications are viewed more favorably than others.<br />
Certifications with renewal requirements are viewed better by hiring<br />
managers, but they also more costly in the long run because of the need<br />
for continuing education. Certifications are also good for showing<br />
in-depth expertise in a specialization within cybersecurity. Depending<br />
on your career goals, it may be advantageous to have a master’s<br />
degree—which shows your breadth of knowledge, critical thinking and<br />
leadership skills—and a certificate—which shows specific skill<br />
competency.<ref name="franklin"></ref><br />
As IT (Cyber) Security is still a relatively young discipline,<br />
universities and colleges are still figuring out which is the best<br />
approach for their degrees. Study programmes and curricula in Cyber<br />
Security are different. In general, here are the duration of Cyber<br />
Security degrees:<br />
<ref name="studyportal">Studyportals, "Why You Should Study a Cyber Security Degree in 2022". Available: https://www.mastersportal.com/articles/2722/why-you-should-study-a-cyber-security-degree-in-2022.html [Accessed 28 April 2022].</ref><br />
<ul><br />
<li><p>Bachelor’s degrees in Cyber Security take 3 or 4 years in most<br />
countries.</p></li><br />
<li><p>Master’s courses in Cyber Security take between 1-2 years to<br />
complete.</p></li><br />
<li><p>PhD programmes in Cyber Security last 3-5 years. Some only take 1<br />
or 2 years, but they are less common.</p><br />
</li><br />
</ul><br />
<br />
Generalization could me made that on bachelor level the general<br />
knowledge about the cyber issues are obtained. On master level the<br />
specialization courses are taken and the person can choose more specific<br />
topics to study. It is on master level where strengths of the cyber<br />
specialist can be developed further and up-do date knowledge obtained in<br />
specifics. PhD is serious science and involves teaching, lot of<br />
scientific work and writing for publications.<br />
<br />
==Salary==<br />
<p>Even if the salary can be very different, compared to the skills and<br />
experience, an generalization can be made. Cyber Security professionals<br />
in CSIRT, and in other entities earn quite well, from the start. First,<br />
some comparison from the United States. The average CSIRT analyst salary<br />
in the USA is $97,500 per year or $50 per hour. Entry level positions<br />
start at $48,875 per year while most experienced workers make up to<br />
$135,373 per year.<ref name="talent">talent.com, "Csirt Analyst average salary in USA 2022". Available: https://www.talent.com/salary?job=csirt+analyst [Accessed 28 April 2022].</ref><br />
<br />
There are multiple positions you can occupy in this field. They have<br />
in common great salaries and high demand for technical skills, attention<br />
to details, problem-solving mentality, and the ability to analyze risks.<br />
Here are the average annual salaries in the United States, according to<br />
Payscale: <ref name="studyportal"></ref><br />
<ul><br />
<li><p>Cryptographer – 100,000 USD</p></li><br />
<li><p>Information Security Officer – 91,000 USD</p></li><br />
<li><p>Security Assessor – 90,000 USD</p></li><br />
<li><p>Security Engineer – 88,000 USD</p></li><br />
<li><p>Penetration Tester – 81,000 USD</p></li><br />
<li><p>Forensics Expert – 71,000 USD</p></li><br />
<li><p>Security Administrator – 65,000 USD</p><br />
</ul><br />
When looking into salaries in Estonia, one can find that there is a<br />
discussion that private sector is taking a toll from the public sector,<br />
and that the salaries in important agencies, as Information System<br />
Authority loose their employees to the better paid positions in private<br />
sector.<ref name="digigeenius">DiGi Geenius, "Kui-palju-riigi-jaoks-olulised-it-tootajad-tegelikult-palka-saavad". Available: https://digi.geenius.ee/rubriik/uudis/kui-palju-riigi-jaoks-olulised-it-tootajad-tegelikult-palka-saavad/ [Accessed 28 April 2022].</ref><br />
<ref name="tehnika">Postimees, "Riigi-it-tootajate-palgamaarad-kasvasid". Available: https://tehnika.postimees.ee/6887428/riigi-it-tootajate-palgamaarad-kasvasid [Accessed 28 April 2022].</ref><br />
But there is also a different view that average private sector worker<br />
could be hired as a top specialist in public sector and then the payment<br />
is higher. Nevertheless, it seems that the average payment in cyber<br />
security sector is any way higher that in other parts of the<br />
e-services. <ref name="digigeenius2">DiGi Geenius, "5000-eurostest-palkadest-it-tootajad-saavadki-palju-palka". Available: https://digi.geenius.ee/rubriik/uudis/5000-eurostest-palkadest-it-tootajad-saavadki-palju-palka [Accessed 28 April 2022].</ref><br />
<br />
==SOC==<br />
<p>A SOC is a facility where an organization’s network, applications,<br />
and endpoints are monitored and defended. The term was adapted from<br />
network operations centers (NOCs), where large telecommunication or<br />
corporate networks are monitored. When network security became more of a<br />
concern, security teams were formed within the NOCs, and eventually spun<br />
off into larger organizations of their own as the responsibilities of<br />
security teams grew increasingly complex and specialized. The security<br />
staff working in a security operations center are often called the SOC<br />
team.<ref name="exabeam">Exabeam, "CSIRT". Available: https://www.exabeam.com/incident-response/csirt/ [Accessed 28 APr 2022].</ref><br />
<br />
<p>Functions of the SOC team include, but are not limited to:<ref name="trellix">Trellix, "What Is a Security Operations Center (SOC)?". Available: https://www.trellix.com/en-us/security-awareness/operations/what-is-soc.html [Accessed 30 APr 2022].</ref></p><br />
<ol type="1"><br />
<li>Taking inventory of resources, to get a better understanding of the<br />
structure they are protecting.</li><br />
<li>Maintanence of the system, by constantly making updates and adding<br />
safeguards.</li><br />
<li>Monitoring the network for abnormalities with special tools.</li><br />
<li>Threat analysis of new attacks and vulnerabilities.</li><br />
<li>Responding to attacks, by acting as “first responders”. The SOC team<br />
will shut down and/or isolate endpoints, deleting files and lowering the<br />
impact as fast as possible.</li><br />
<li>Recovery of system stability and lost data. This may be done using<br />
backups, restarting endpoints or reconfiguring systems.</li><br />
<li>Logging all actions on the system, to be later used for analysis or<br />
forensics after an attack.</li><br />
<li>Investigating the root cause of an attack.</li><br />
<li>Auditing their own actions, to be in line with regulations of the<br />
organization, industry or governing body.</li><br />
</ol><br />
<br />
==CSIRT==<br />
<p>A CSIRT is a group that responds to security incidents when they<br />
occur. Key responsibilities of a CSIRT include:<br />
<ref name="exabeam"></ref><br />
===Creating and maintaining an incident response plan (IRP)===<br />
An incident response plan (IRP) is a set of written instructions for<br />
detecting, responding to and limiting the effects of an information<br />
security event. Incident response plans provide instructions for<br />
responding to many potential scenarios, including data breaches, denial<br />
of service/distributed denial of service attacks, firewall breaches,<br />
virus or malware outbreaks or insider threats. Without an incident<br />
response plan in place, organizations may either not detect the attack<br />
in the first place, or not follow proper protocol to contain the threat<br />
and recover from it when a breach is detected.<br />
<ref name="stratacore">Stratacore, "Incident Response Plan (IRP)". https://www.stratacore.com/incidentresponseplan [Accessed 28 April 2022].</ref><br />
<br />
===Investigating and analyzing incidents===<br />
CSIRTs are also involved in improvement activities. After major<br />
computer security incidents occur, or when incidents are not handled in<br />
a timely or effective manner, a CSIRT will generally perform a<br />
postmortem of the incident and its response. This postmortem will<br />
identify the strengths and weakness of the response effort. Such reviews<br />
can identify weaknesses and holes in systems, infrastructure defenses,<br />
or policies that allowed the incident to take place. It can also<br />
identify problems with communication channels, interfaces, and<br />
procedures that inhibited the efficient resolution of the reported<br />
problem.<br />
<ref name="cisa">CISA (Cybersecurity & Infrastructure Security Agency, "Defining Computer Security Incident Response Teams". https://www.cisa.gov/uscert/bsi/articles/best-practices/incident-management/defining-computer-security-incident-response-teams [Accessed 28 April 2022].</ref><br />
<br />
===Managing internal communications and updates during or immediately after incidents occur===<br />
===Communicating with employees, shareholders, customers, and the press about incidents as needed===<br />
<p>There are various services within the CSIRT Services Framework that<br />
address communications, as they relate to security operations and<br />
incident response services. Some of these include Information Security<br />
Incident Coordination, Crisis Management Support, Vulnerability<br />
Disclosure, Situational Awareness Communication, and Awareness Building,<br />
to name a few. Sharing information and communicating with the general<br />
public and/or your constituency is appropriate in many different<br />
scenarios. These can range from proactive communications to reactive<br />
communications. Each scenario may be unique, and careful consideration<br />
should be given to when to release information to the public and what<br />
information should be released.</p><br />
<br />
<p>https://resources.sei.cmu.edu/asset_files/Handbook/2021_002_001_651819.pdf</p><br />
<br />
===Remediating incidents===<br />
Threat remediation is a strong and capable tool for fighting the<br />
cyber security compromises. As the word ‘remedy’ suggests, remediation<br />
process involves the treatment of a security breach. With the<br />
remediation practices, your cyber security team is able to eliminate<br />
suspicious activities and malicious attacks in the form of malware,<br />
ransomware, phishing and such. Even if you ‘kill’ the suspicious<br />
activity, the attackers can remain in your systems. If you want to<br />
contaminate and end the problem for good, your remediation processes<br />
must involve the detection of the cause. <ref name="logsign">Logsign, "What-is-remediation-in-cyber-security". Available: https://www.logsign.com/blog/what-is-remediation-in-cyber-security/. [Accessed 28 Apr 2022].</ref><br />
<br />
===Recommending technology, policy, governance, and training changes after security incidents===<br />
After all these actions, the SCIRT must contribute to the development<br />
of better policies, practices and has to recommend improvements. They<br />
are not working in the vacuum and their work has to create new and<br />
better standards for cyber security. <ref name="exabeam">Exabeam, "CSIRT". Available: https://www.exabeam.com/incident-response/csirt/ [Accessed 28 APr 2022].</ref><br />
<br />
==CERT==<br />
The term “computer emergency response team” was coined in 1988. In<br />
response to the Morris worm attack that impacted thousands of servers on<br />
the Internet, DARPA funded the formation of the Computer Emergency<br />
Response Team Coordination Center (CERT-CC) at Carnegie Mellon<br />
University. The goal of CERT-CC was to help protect the internet by<br />
collecting and disseminating information on critical security<br />
vulnerabilities. Several other countries formed similar centers using<br />
the same acronym (despite threats of legal action by Carnegie Mellon for<br />
trademark infringement). Now the term CERT refers to any emergency<br />
response team that deals with cyber threats. Many people use CERT-CC<br />
interchangeably with CSIRT, though the charter of a CERT is information<br />
sharing in order to help other response teams respond to threats against<br />
their own infrastructure. <ref name="exabeam"></ref><br />
<br />
In general, the designation of CERT is helpful in applying real-world<br />
solutions to various cybersecurity problems. They may be government<br />
contractors or employees of a major corporation. For example, the U.S.<br />
Computer Emergency Readiness Team (US-CERT) operates under the U.S.<br />
Department of Homeland Security.<br />
<ref name="techopedia">Techopedia, "Computer Emergency Response Team (CERT)". Available: https://www.techopedia.com/definition/31003/computer-emergency-response-team-cert. [Accessed 25 April 2022].</ref><br />
<br />
In Estonia CERT is designated as CERT-EE. It was established in 2006,<br />
as an organization responsible for the management of security incidents<br />
in .ee computer networks. It is also a national contact point for<br />
international co-operation in the field of IT security. <ref name="ria">Information System Autority, "CERT-EE". Available: hhttps://www.ria.ee/en/cyber-security/cert-ee.html [Accessed 25 April 2022].</ref><br />
<br />
==Difference between SOC/CSIRT/CERT==<br />
[[File:analystimage3.png|300px|thumb|SOC/CSIRT/CERT <ref name="exabeam></ref>]]<br />
How CSIRTs differ from CERTs and SOCs. There are overlapping<br />
responsibilities between a community emergency response team (CERT),<br />
computer security incident response team (CSIRT), and security<br />
operations center (SOC). To add to this confusion, frequently, the terms<br />
CERT and CSIRT are used interchangeably, despite the important<br />
differences. <ref name="exabeam"></ref><br />
<br />
==Understand the primary roles and characteristics of a CERT, CSIRT, and SOC.==<br />
[[File:analystimage4.png|600px|thumb|Primary Roles of CERT, CSIRT, and SOC<ref name="exabeam></ref>]]<br />
<p>So, using strict definitions, a CERT collects and disseminates<br />
security information, typically for the benefit of a country or an<br />
industry. A CSIRT is a cross-functional team that responds to incidents<br />
on behalf of a country or an organization. A SOC is where a country or<br />
organization monitors and defends its network, servers, applications,<br />
and endpoints. <ref name="exabeam"></ref><br />
<br />
==Future==<br />
<p>And the Cyber security problem is only getting bigger. According to a<br />
report published by Accenture, the number of cyber security breaches<br />
increased by 11 percent from 2017 to 2018. The cost of such breaches is<br />
astronomical–about $600 billion worldwide, according to the Economic<br />
Impact of Cybercrime report.</p><br />
<p>https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me</p><br />
<p>Job projections for cybersecurity are staggering. The Bureau of Labor<br />
Statistics in US predicts that careers in the cybersecurity field will<br />
grow by 32% by 2028. That makes cybersecurity one of the top 10<br />
fastest-growing jobs in the country. In the United States alone, jobs<br />
for Information Security Analysts are expected to grow by 15% by<br />
2024.</p><br />
<p>https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</p><br />
<p>Most likely this trend is also similar in other countries.</p><br />
<p>When checking Estonian job portals, there is a constant need for<br />
people for cyber security related positions. Also, linkedin search gives<br />
approximately 30 vacancies immediately. There are banks, logistics<br />
companies, e-shops, and software producers.</p><br />
<p>https://ee.linkedin.com/jobs/cyber-security-jobs?countryRedirected=1&amp;position=1&amp;pageNum=0</p><br />
<p>Trends that affect companies create need for constant cyber security<br />
services. Increasing number of home/remote offices require secure<br />
corporate networks and security of remote devices. One example is from<br />
this year, when sloppy remote desktop set-up paralyzed systems of 17<br />
companies.</p><br />
<p>https://www.aripaev.ee/uudised/2022/04/20/ria-lohakas-kaugtoolaua-seadistus-halvas-martsis-vahemalt-17-juhul-ettevotete-it-susteemid</p><br />
<p>Also, no service can exists without robust infrastructure - servers,<br />
databases, applications. As all previously mentioned devices and<br />
services are at constant scanning and surveillance. So, the breach<br />
detection and immediate action demands 24/7 services. Even if lot of<br />
things could be automated, there is a need for human specialists (at<br />
least, at the moment). Third growing field is also a forensic<br />
investigation, as every attack must be investigated in order to be ready<br />
to repel next attacks. So data recovery and evidence collection is<br />
another important field of work that need skilled and professional<br />
workers.</p><br />
<p>Even, if the specifics of the entity, be it CSIRT, CERT or SOC, are<br />
different, the fundamentals of the work are the same. Professional<br />
knowledge of the networks, operational systems, hardware, scripting, and<br />
several other wider IT related knowledge is needed. As there is no<br />
single way to reach to it, every single person can find one’s strongest<br />
sides and develop them with knowledge of weaker side, in order to know,<br />
when to as for help.</p><br />
<br />
</body><br />
</html></div>Mavaldhttps://wiki.itcollege.ee/index.php?title=Hiring_a_Cyber_Security_Incident_Analyst&diff=142275Hiring a Cyber Security Incident Analyst2022-05-01T16:09:07Z<p>Mavald: /* Creating and maintaining an incident response plan (IRP) */</p>
<hr />
<div>==A Cyber Security Incident Analyst==<br />
<br />
[[File:image1.png|600px|thumb|Job advertisement <ref>"Job Advertisement". Available at https://www.projectpeople.com/jobs/</ref>]]<br />
===Cyber security incident analyst in SOC/CSIRT/CERT===<br />
This article delves into the job title of Cyber Security Incident<br />
Analyst and provides an overview of the acronyms SOC/CSIRT/CERT. A brief<br />
history of the job is discussed here, as well as a possible career path,<br />
education, experience, and other characteristics required for work in<br />
computer security-related organizations. The article also provides a<br />
brief history of SOC/CSIRT/CERT, as well as a comparison of their<br />
differences and similarities.<br />
===Cyber Security Incident Analyst Skill Set===<br />
What skill set is expected from the Cyber Security Incident Analyst? Below written lines are taken from the same job advertisement depicted<br />
on the left side of this article:<br />
As a Security Incident Analyst your responsibilities will include:<br />
<ul><br />
<li>Continuous monitoring of security tooling</li><br />
<li>Performing regular and ad-hoc vulnerability assessments</li><br />
<li>Carrying out ‘spot checks’</li><br />
<li>Reporting vulnerabilities to the PVG via the alerts system</li><br />
<li>Maintaining and documenting logging systems</li><br />
<li>Developing centralized logging, reporting and intelligence<br />
platforms</li><br />
<li>‘Light touch’ penetration testing with open source tooling<br />
(Metasploit)</li><br />
</ul><br />
Knowledge &amp; Experience required:<br />
<ul><br />
<li>SOC, CSIRT or CERT operational environment experience</li><br />
<li>Windows / Linux experience</li><br />
<li>TCP /IP networking protocol knowledge</li><br />
<li>Experience reviewing and analyzing Security Events from various<br />
monitoring and logging sources</li><br />
<li>Experience in website and web application security assessment or<br />
penetration testing</li><br />
<li>Experience of using Metasploit</li><br />
<li>Scripting knowledge using BASH, Python, Perl, Ruby</li><br />
<li>Skills in Host and Network Forensics</li><br />
</ul><br />
As one can see the description of the duties is wide and also the<br />
knowledge and experience that is required is noteworthy. So, where to<br />
start to find out the way to get this kind of knowledge and<br />
expertize.<br />
===Possible career path===<br />
Next part of the paper is aiming to depict a possible ways, how to<br />
develop oneself, and move along the career pathway in cybersecurity<br />
field. Topics of development, education, experience and certification<br />
are covered.<br />
[[File:analystimage2.png|1000px|thumb|Career path <ref>"Possible Career Path". Available at https://www.cyberseek.org/pathway.html</ref>]]<br />
<br />
===Junior/Senior===<br />
Start with an entry-level job in IT. Hands-on experience is often the<br />
most effective way to prepare for certification exams. Start<br />
accumulating work experience with an entry-level role as a cybersecurity<br />
analyst. Many cybersecurity professionals start off in more general IT<br />
roles. The skills, practices, and technologies you’ll use as a<br />
cybersecurity professional will continue to evolve along with computer<br />
and network technology. The desire to learn, ability to problem solve,<br />
and attention to detail will serve you well in this field. Other, more<br />
technical skills and technologies to learn include:<ref name="certification">Popular Cyber Security Certificates [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications [Accessed 25 April 2022].</ref><br />
<br />
====SIEM tools (security information and event management)====<br />
Security Information and Event Management (SIEM) is a set of tools<br />
and services offering a holistic view of an organization’s information<br />
security. SIEM works by combining two technologies:<br />
<li>Security information management (SIM), which collects data from log<br />
files for analysis and reports on security threats and events, and</li><br />
<li>security event management (SEM), which conducts real-time system<br />
monitoring, notifies network admins about important issues and<br />
establishes correlations between security events. There are a number of<br />
security information and event management solutions on the market.<br />
ArcSight ESM, IBM QRadar and Splunk are among the most popular. <ref name="SIEM">Application security, SIEM [Online]. Available: https://www.imperva.com/learn/application-security/siem/. [Accessed 27 4 2022].</ref></li><br />
<br />
====Firewalls, Intrusion Detection Systems (IDS), and Intrusion Prevention Systems(IPS)====<br />
Firewalls can be two types, hardware and software firewalls. Software<br />
firewall is a firewall that is installed on a computer or server, and<br />
tasked with network security. It works with a wide variety of other<br />
technology security solutions to provide more robust and cohesive<br />
security for enterprises of all sizes. When a software firewall is<br />
installed on a server, it opens up like an umbrella of protection over<br />
all other computers connected to the network. It is able to monitor both<br />
incoming and outgoing traffic for potential risk or suspicious user<br />
behavior, and also makes setting security policies much easier, faster<br />
and more flexible. Hardware firewall is positioned between the network<br />
and devices, allowing traffic to funnel through the firewall for a close<br />
inspection and analysis. A hardware firewall, a term often<br />
interchangeable with network or next-generation firewall, protects the<br />
network gateways for an enterprise. Hardware firewall is physical<br />
hardware, installed between network elements and connected devices, and<br />
is tasked with filtering traffic for cyber threat to the network or<br />
devices. Filtering out unauthorized or suspicious users based on traffic<br />
analysis is one of the biggest benefits of hardware firewall. <ref name="sangfor">Sangfor, "What is Software Firewall? Difference between Hardware Firewall and Software Firewall, [Online]. Available: https://www.sangfor.com/blog/cybersecurity/what-is-software-firewall-difference-between-hardware-firewall-and-software-firewall [Accessed 26 4 2022].</ref><br />
<br />
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems<br />
(IPS) are both parts of the network infrastructure. IDS/IPS compare<br />
network packets to a cyberthreat database containing known signatures of<br />
cyberattacks — and flag any matching packets. IDS doesn’t alter the<br />
network packets in any way, whereas IPS prevents the packet from<br />
delivery based on the contents of the packet, much like how a firewall<br />
prevents traffic by IP address. <ref name="Varonis">Varonis, "What is Software Firewall? IDS vs. IPS: What is the Difference?, [Online]. Available: https://www.varonis.com/blog/ids-vs-ips [Accessed 26 4 2022].</ref><br />
<br />
====Digital forensics====<br />
Digital forensics is a branch of forensic science that focuses on<br />
identifying, acquiring, processing, analyzing, and reporting on data<br />
stored electronically. Electronic evidence is a component of almost all<br />
criminal activities and digital forensics support is crucial for law<br />
enforcement investigations. Electronic evidence can be collected from a<br />
wide array of sources, such as computers, smartphones, remote storage,<br />
unmanned aerial systems, shipborne equipment, and more.<ref name="interpol">Interpol, "Digital forensics". Available: https://www.interpol.int/How-we-work/Innovation/Digital-forensics. [Accessed 28 4 2022].</ref> <br />
Investigative process of digital forensics can be divided into several stages. There are four major stages: preservation, collection,<br />
examination, and analysis. All these four stages need a deep understanding of computers, technology across a broad spectrum, and cybersecurity principles and<br />
practices, a working knowledge of computers, networks, and coding, in-depth investigative abilities, critical-thinking skills and analytical talent the ability to effectively communicate and work with a<br />
wide range of people. <ref name="ecpi">"Digital forensics". Available: https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me. [Accessed 26 4 2022].</ref><br />
<br />
====Mobile device management====<br />
Mobile device management (MDM) is software that allows IT<br />
administrators to control, secure and enforce policies on smartphones,<br />
tablets and other endpoints. Mobile device management software emerged<br />
in the early 2000s as a way to control and secure the personal digital<br />
assistants and smartphones that business workers began to use. The<br />
consumer smartphone boom that started with the launch of the Apple<br />
iPhone in 2007 led to the bring your own device (BYOD) trend, which<br />
fueled further interest in MDM.<ref name="techtarget">Techtarget, "Mobile Device Management". Available: https://www.techtarget.com/searchmobilecomputing/definition/mobile-device-management [Accessed 27 4 2022].</ref><br />
<br />
====Data management====<br />
Sometimes the data management is neglected, but this part has a<br />
crucial role when learning for good cyber security practices. Majority<br />
of cyber security programs include a special courses on data management.<br />
Data management is a method of organizing and maintaining data processes<br />
that are required in almost every business operations. The benefits of<br />
data management can be found accounting, statistics, logistics planning<br />
and other disciplines including corporate computing.<ref name="GlobalUni">Global Universities, "MSc Data Management and Cyber Security". Available: https://globaluniversities.in/msc-data-management-cyber-security. [Accessed 26 Apr 2022].</ref><br />
Data governance (and management) play a fundamental role in<br />
protecting an organization’s data. Ensuring that the right people have<br />
the right access and that appropriate security controls are in place to<br />
protect each system or service, based on the criticality or sensitivity<br />
of the data sets these contain. <ref name="CyberMagazine">Cyber Security Magazine, "The Role of Data Governance in Cybersecurity". Available: https://cybersecurity-magazine.com/the-role-of-data-governance-in-cybersecurity/?utm_source=rss&amp;utm_medium=rss&amp;utm_campaign=the-role-of-data-governance-in-cybersecurity. [Accessed 26 Apr 2022].</ref><br />
<br />
====Application security development====<br />
Application security describes security measures at the application<br />
level that aim to prevent data or code within the app from being stolen<br />
or hijacked. It encompasses the security considerations that happen<br />
during application development and design, but it also involves systems<br />
and approaches to protect apps after they get deployed. Application<br />
security may include hardware, software, and procedures that identify or<br />
minimize security vulnerabilities.<ref name="vmware">VmWare, "What is application security?". Available: https://www.vmware.com/topics/glossary/content/application-security.html [Accessed 28 April 2022].</ref><br />
Application security development is important to ensure that your<br />
application is free from coding errors and bugs. And controls the risk<br />
and helps safeguard against security vulnerabilities. Application<br />
security development is the process of making applications more secure<br />
by finding and fixing security vulnerabilities. This is often done by<br />
enforcing software security best practices and using application<br />
security testing tools. <br />
<ref name="perforce">Perforce, "Application Security Development Best Practices". Available: https://www.perforce.com/blog/kw/application-security-development-best-practices. [Accessed 28 April 2022].</ref><br />
<br />
====Audit and compliance knowledge====<br />
A cyber security audit is designed to be a comprehensive review and<br />
analysis of your business’s IT infrastructure. It identifies threats and<br />
vulnerabilities, exposing weaknesses and high-risk practices.<br />
Regulations such as the EU GDPR (General Data Protection Regulation) can<br />
impose hefty penalties in the event of a breach that results in<br />
exploited data. A cyber security audit will help mitigate the<br />
consequences of a breach and demonstrate that your organization has<br />
taken the necessary steps to protect client and company data. <ref name="cyforsecure">Cyfor Secure, "What is a Cyber Security Audit and how can it help your organisation?". Available: https://cyforsecure.co.uk/services/cyber-assessment/cyber-security-audit/. [Accessed 28 April 2022].</ref><br />
<br />
Cybersecurity compliance is the organizational risk management method<br />
aligned with pre-defined security measures &amp; controls on how data<br />
confidentiality is ensured by its administrative procedures.<ref name="nordlayer">NordLayer, "Cybersecurity compliance: Everything you need to know". Available: https://nordlayer.com/blog/cybersecurity-compliance-everything-you-need-to-know/. [Accessed 28 April 2022].</ref><br />
All needed skills are developed through courses and certification.<br />
<br />
===Entry-Level Incident Response Positions===<br />
It is not always possible to advance to the position of incident<br />
responder in a straight line. Many professionals advance from entry- to<br />
mid-level positions before becoming a real incident responder or a<br />
member of a computer emergency response team (CERT).<br /><br />
These are some examples: <ref name="Infosec">Infosec, "Incident Responder Career Roadmap: From Entry Level to Executive". Available: https://resources.infosecinstitute.com/topic/incident-responder-career-roadmap-entry-level-executive/ [Accessed 28 April 2022].</ref></p><br />
<ul><br />
<li><h5 id="network-administrator">Network administrator</h5><br />
<p>This position’s experience will help potential incident responders<br />
develop networking skills. Attention to detail, as well as the ability<br />
to sift through system configurations, site layouts, and general network<br />
and communication setups, are essential in this field.</p></li><br />
<li><h5 id="system-administrator">System administrator</h5><br />
<p>Another crucial beginning point for an incident responder is to learn<br />
how to manage resources inside your organization as well as user<br />
behavior. Understanding the potential damage that users, inadequate<br />
security setups, and ineffective IT policies and procedures can cause on<br />
your network can provide prospective candidates with insight into the<br />
human component of an incident.</p></li><br />
<li><h5 id="security-administrator">Security administrator</h5><br />
<p>In such a position, basic hacking skills, penetration testing, and<br />
intrusion detection are all learned, which are crucial incident<br />
responder skills when trying to replicate a breach or attack.<br />
Understanding the paths a cybercriminal will take when attempting to<br />
damage or obtain access to a system can greatly simplify the work of<br />
reverse engineering the incident.</p></li><br />
</ul><br />
<br />
=== Mid-Level Incident Response Positions ===<br />
<ul><br />
<li><h5<br />
id="computer-security-incident-response-team-csirt-engineer">Computer<br />
security incident response team (CSIRT) engineer</h5></li><br />
<li><h5 id="cyber-incident-responder">Cyber incident responder</h5></li><br />
<li><h5 id="incident-response-engineer">Incident response<br />
engineer</h5></li><br />
</ul><br />
<p>While each of these positions is different, they generally require<br />
very similar skills and characteristics in a candidate. At this level,<br />
personal characteristics such as problem solving, time management, and<br />
even presentation skills become more crucial as one’s career evolves<br />
into a management-facing role.</p><br />
<p>Technical skills include the ability to identify and minimize threats<br />
while maintaining communication with management and the rest of your<br />
team. Data analysis and evidence gathering become increasingly crucial,<br />
and the circumstances in which your services are deployed get more<br />
serious.</p><br />
Problem-solving skills are crucial at this level of incident<br />
response, and as the stakes rise, so does the pressure in each<br />
situation. At this level, programming abilities are essential since<br />
incident responders may be needed to reverse engineer malicious code or<br />
even create patches for vulnerable network applications or services. <ref name="coursera">Coursera, "10 Popular Cybersecurity Certifications [2022 Updated]". Available: https://www.coursera.org/articles/popular-cybersecurity-certifications [Accessed 28 April 2022].</ref><br />
<br />
===Senior-Level Incident Response Positions===<br />
<ul><br />
<li><h5 id="intrusion-detection-specialist">Intrusion detection<br />
specialist:</h5></li><br />
</ul><br />
<p>A CISSP certification might help a potential candidate in preparing<br />
for the profession. The role of an intrusion detection specialist is to<br />
find and stop any unwanted communications.</p><br />
<ul><br />
<li><h5 id="incident-manager">Incident manager:</h5></li><br />
</ul><br />
Expected to plan, oversee, manage, and supervise all incident<br />
response team actions. Is in charge of reporting all current events to<br />
senior management and stakeholders, as well as acting as the technical<br />
lead on active incidents for incident responders. Prepares threat and<br />
impact assessments and reports them known to management.<ref name="coursera"></ref><br />
<br />
==Certificates== <br />
There is a vast number of different certificates and the road map to<br />
being a certified professional could be very different<ref name="Coursera">Coursera, "10 Popular Cybersecurity Certifications [2022 Updated]," [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications. [Accessed 30 Apr 2022].</ref><br />
<ref name="NICCS">NICCS, "Cybersecurity Certifications," [Online]. Available: hhttps://niccs.cisa.gov/about-niccs/cybersecurity-certifications. [Accessed 30 Apr 2022].</ref> . One possible<br />
approach is to start with basic certificates from the different branches<br />
of service and move to more specific and demanding focused<br />
certification. Also, some jobs require certain clearances, either from<br />
industry, or from the government. One small selection of different<br />
possible certificates is brought out in following paragraphs.<br />
<br />
Security+ is a CompTIA certification that is considered a basic cert<br />
among cybersecurity professionals. It covers the topics of risk<br />
management and threat assessment.<br />
Network+ is also offered by CompTIA this certification (like the name<br />
implies) focuses on networking infrastructure and operations. It is<br />
considered a foundational certification.<br />
The Certified Information Systems Security Professional (CISSP) is a<br />
more advanced certification designed for cybersecurity professionals<br />
with at least five years of work experience. The certification covers<br />
topics such as architecture, engineering, and management.</p><br />
The Certified Ethical Hacker (CEH) certification is also considered a<br />
more advanced cert because it generally requires that applicants have<br />
multiple years of work experience. The goal of an ethical hacker<br />
certification is to be able to understand how cyber attacks unfold in<br />
order to improve threat assessment and mitigation skills.<ref name="cyberguide">Cybersecurity Guide, "How to become a cybersecurity specialist", [Online]. Available: https://cybersecurityguide.org/careers/security-specialist/. [Accessed 27 April 2022].</ref><br />
This is definitely not all, when one looks for more information, following link could be searched, to get more in depth knowledge about<br />
different possibilities.<br />
<br />
Hereby, with the help of this matrix a possible taxonomy of different 436 listed certificates in branches are<br />
presented.<ref name="Pauljeremy">"Cybersecurity Roadmap," [Online]. Available: https://pauljerimy.com/2020/10/12/scr-oct-2020-update/. [Accessed 30 Apr 2022].</ref><br />
<br />
[[File:analystimage5.png|1000px|thumb|Certificate matrix <ref>"Certification roadmap". Available at https://pauljerimy.com/security-certification-roadmap</ref>]]<br />
<br />
=== Communication and Network Security===<br />
Communication and network security covers the ability to secure<br />
communication channels and networks. Topics include secure and converges<br />
protocols, wireless networks, cellular networks, hardware operations<br />
(warranty and redundant power), and third-party connectivity. IP<br />
networking are also included in this domain.<br />
===Identity and Access Management===<br />
The identity and access management domain covers the attacks that<br />
target the human gateway to gain access to data. Other topics include<br />
ways to identify users with rights to access the information and<br />
servers. Identity and access management covers the topics of<br />
applications, Single sign-on authentication, privilege escalation,<br />
Kerberos, rule-based or risk-based access control, proofing and<br />
establishment of identity.<br />
===Security Architecture and Engineering===<br />
The security architecture and engineering domain covers important<br />
topics concerning security engineering plans, designs and principles,<br />
Topics include assessing and mitigating information system<br />
vulnerabilities, fundamental concepts of security models and security<br />
architectures in critical areas like access control. Cloud systems,<br />
cryptography, system infiltrations (ransomware, fault-injection and<br />
more) and virtualized systems are also covered in this domain.<br />
===Asset Security===<br />
The Asset Security domain deals with the issues related to the<br />
collection, storage, maintenance, retention and destruction of data. It<br />
also covers knowledge of different roles regarding data handling (owner,<br />
controller and custodian) as well as data protection methods and data<br />
states. Other topics include resource provision, asset classification<br />
and data lifecycle management.<br />
===Security and Risk Management===<br />
The security and risk management domain covers general on skills<br />
related to the implementation of user awareness programs as well as<br />
security procedures. Emphasis is also placed on risk management<br />
concerning the acquisition of new services, hardware and software<br />
(supply chain). Other skills include social engineering defense<br />
mechanisms.<br />
===Security Assessment and Testing===<br />
The security assessment and testing domain deals with all the<br />
techniques and tools used to find system vulnerabilities, weaknesses and<br />
potential areas of concern not addressed by security procedures and<br />
policies. Attack simulations, vulnerability assessment, compliance<br />
checks, and ethical disclosure also fall under this domain.<br />
===Software Security===<br />
The software development security domain deals with implementing<br />
software-based security protocols within environment for which the IT<br />
professional is responsible. Risk analysis, vulnerability identification<br />
and auditing of source codes are all covered in this subset. Additional<br />
topics include software-designed security, maturity models, development<br />
methodologies, open-source and third-party development security.<br />
===Security operations===<br />
The security operations domain covers topics ranging from<br />
investigations and digital forensic to detection and intrusion<br />
prevention tools, sandboxing and firewalls. Topics include user and<br />
entity behavior analytics, threat intelligence (threat hunting and<br />
threat feeds) log management, artifacts (mobile, computer and network),<br />
machine learning and AI-based tools, penetration testing, and<br />
exploitation development. These for sub-domains are lister here.</p><br />
<li>Forensics</li><br />
<li>Incident Handling</li><br />
<li>Penetration Testing</li><br />
<li>Exploitation</li><br />
<br />
==Education==<br />
[[File:Analystimage7.png|400px|thumb|Comparison degree vs Certificate <ref>"Comparison Table". Available at https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</ref>]]<br />
The entry level monitoring specialist is hired by Estonian<br />
Information System Authority even if there is no formal IT education,<br />
but readiness to learn and moderate knowledge of different operation<br />
systems is enough to start the career. <ref name="cv">cv.ee, "SEIRESPETSIALIST - tule Eesti küberruumi valvuriks!". Available: https://www.cv.ee/en/vacancy/792782/riigi-infosusteemi-amet/seirespetsialist-tule-eesti-kuberruumi-valvuriks [Accessed 28 April 2022].</ref><br />
Nevertheless, like most other high qualification careers jobs falling<br />
under the cybersecurity specialist category require some form of formal<br />
education. However, since cybersecurity specialist jobs can fall across<br />
a wide spectrum of job descriptions and responsibilities, it is possible<br />
to obtain a specialist job after completing many levels of different<br />
computer related education.<br />
<br />
If one is looking for a cybersecurity related education, for example<br />
in EU, 137 courses/programs could be found that relate to keyword IT or<br />
cybersecurity. <ref name="enisa">ENISA (European Union Agency for Cybersecurity), "Cybersecurity Education-Cybersecurity Higher Education Database". Available: https://www.enisa.europa.eu/topics/cybersecurity-education/education-map/education-courses [Accessed 26 April 2022].</ref><br />
<br />
Also, there is a great amount of discussion, if cyber security<br />
professional should have a degree or would be certification just enough.<br />
One interesting table is produces by Franklin University that compares<br />
benefits and/or drawbacks of each type of credential.<ref name="franklin">Franklin University, "Is Getting a Master's Degree in Cyber Security Worth It?". Available: https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it [Accessed 28 April 2022].</ref><br />
<br />
Certifications are generally good for people with little practical<br />
experience because they are known quantities in the industry and can<br />
help you get your foot in the door. They set a minimum knowledge bar.<br />
But some certifications are viewed more favorably than others.<br />
Certifications with renewal requirements are viewed better by hiring<br />
managers, but they also more costly in the long run because of the need<br />
for continuing education. Certifications are also good for showing<br />
in-depth expertise in a specialization within cybersecurity. Depending<br />
on your career goals, it may be advantageous to have a master’s<br />
degree—which shows your breadth of knowledge, critical thinking and<br />
leadership skills—and a certificate—which shows specific skill<br />
competency.<ref name="franklin"></ref><br />
As IT (Cyber) Security is still a relatively young discipline,<br />
universities and colleges are still figuring out which is the best<br />
approach for their degrees. Study programmes and curricula in Cyber<br />
Security are different. In general, here are the duration of Cyber<br />
Security degrees:<br />
<ref name="studyportal">Studyportals, "Why You Should Study a Cyber Security Degree in 2022". Available: https://www.mastersportal.com/articles/2722/why-you-should-study-a-cyber-security-degree-in-2022.html [Accessed 28 April 2022].</ref><br />
<ul><br />
<li><p>Bachelor’s degrees in Cyber Security take 3 or 4 years in most<br />
countries.</p></li><br />
<li><p>Master’s courses in Cyber Security take between 1-2 years to<br />
complete.</p></li><br />
<li><p>PhD programmes in Cyber Security last 3-5 years. Some only take 1<br />
or 2 years, but they are less common.</p><br />
</li><br />
</ul><br />
<br />
Generalization could me made that on bachelor level the general<br />
knowledge about the cyber issues are obtained. On master level the<br />
specialization courses are taken and the person can choose more specific<br />
topics to study. It is on master level where strengths of the cyber<br />
specialist can be developed further and up-do date knowledge obtained in<br />
specifics. PhD is serious science and involves teaching, lot of<br />
scientific work and writing for publications.<br />
<br />
==Salary==<br />
<p>Even if the salary can be very different, compared to the skills and<br />
experience, an generalization can be made. Cyber Security professionals<br />
in CSIRT, and in other entities earn quite well, from the start. First,<br />
some comparison from the United States. The average CSIRT analyst salary<br />
in the USA is $97,500 per year or $50 per hour. Entry level positions<br />
start at $48,875 per year while most experienced workers make up to<br />
$135,373 per year.<ref name="talent">talent.com, "Csirt Analyst average salary in USA 2022". Available: https://www.talent.com/salary?job=csirt+analyst [Accessed 28 April 2022].</ref><br />
<br />
There are multiple positions you can occupy in this field. They have<br />
in common great salaries and high demand for technical skills, attention<br />
to details, problem-solving mentality, and the ability to analyze risks.<br />
Here are the average annual salaries in the United States, according to<br />
Payscale: <ref name="studyportal"></ref><br />
<ul><br />
<li><p>Cryptographer – 100,000 USD</p></li><br />
<li><p>Information Security Officer – 91,000 USD</p></li><br />
<li><p>Security Assessor – 90,000 USD</p></li><br />
<li><p>Security Engineer – 88,000 USD</p></li><br />
<li><p>Penetration Tester – 81,000 USD</p></li><br />
<li><p>Forensics Expert – 71,000 USD</p></li><br />
<li><p>Security Administrator – 65,000 USD</p><br />
</ul><br />
When looking into salaries in Estonia, one can find that there is a<br />
discussion that private sector is taking a toll from the public sector,<br />
and that the salaries in important agencies, as Information System<br />
Authority loose their employees to the better paid positions in private<br />
sector.<ref name="digigeenius">DiGi Geenius, "Kui-palju-riigi-jaoks-olulised-it-tootajad-tegelikult-palka-saavad". Available: https://digi.geenius.ee/rubriik/uudis/kui-palju-riigi-jaoks-olulised-it-tootajad-tegelikult-palka-saavad/ [Accessed 28 April 2022].</ref><br />
<ref name="tehnika">Postimees, "Riigi-it-tootajate-palgamaarad-kasvasid". Available: https://tehnika.postimees.ee/6887428/riigi-it-tootajate-palgamaarad-kasvasid [Accessed 28 April 2022].</ref><br />
But there is also a different view that average private sector worker<br />
could be hired as a top specialist in public sector and then the payment<br />
is higher. Nevertheless, it seems that the average payment in cyber<br />
security sector is any way higher that in other parts of the<br />
e-services. <ref name="digigeenius2">DiGi Geenius, "5000-eurostest-palkadest-it-tootajad-saavadki-palju-palka". Available: https://digi.geenius.ee/rubriik/uudis/5000-eurostest-palkadest-it-tootajad-saavadki-palju-palka [Accessed 28 April 2022].</ref><br />
<br />
==SOC==<br />
<p>A SOC is a facility where an organization’s network, applications,<br />
and endpoints are monitored and defended. The term was adapted from<br />
network operations centers (NOCs), where large telecommunication or<br />
corporate networks are monitored. When network security became more of a<br />
concern, security teams were formed within the NOCs, and eventually spun<br />
off into larger organizations of their own as the responsibilities of<br />
security teams grew increasingly complex and specialized. The security<br />
staff working in a security operations center are often called the SOC<br />
team.<ref name="exabeam">Exabeam, "CSIRT". Available: https://www.exabeam.com/incident-response/csirt/ [Accessed 28 APr 2022].</ref><br />
<br />
<p>Functions of the SOC team include, but are not limited to:<ref name="trellix">Trellix, "What Is a Security Operations Center (SOC)?". Available: https://www.trellix.com/en-us/security-awareness/operations/what-is-soc.html [Accessed 30 APr 2022].</ref></p><br />
<ol type="1"><br />
<li>Taking inventory of resources, to get a better understanding of the<br />
structure they are protecting.</li><br />
<li>Maintanence of the system, by constantly making updates and adding<br />
safeguards.</li><br />
<li>Monitoring the network for abnormalities with special tools.</li><br />
<li>Threat analysis of new attacks and vulnerabilities.</li><br />
<li>Responding to attacks, by acting as “first responders”. The SOC team<br />
will shut down and/or isolate endpoints, deleting files and lowering the<br />
impact as fast as possible.</li><br />
<li>Recovery of system stability and lost data. This may be done using<br />
backups, restarting endpoints or reconfiguring systems.</li><br />
<li>Logging all actions on the system, to be later used for analysis or<br />
forensics after an attack.</li><br />
<li>Investigating the root cause of an attack.</li><br />
<li>Auditing their own actions, to be in line with regulations of the<br />
organization, industry or governing body.</li><br />
</ol><br />
<br />
==CSIRT==<br />
<p>A CSIRT is a group that responds to security incidents when they<br />
occur. Key responsibilities of a CSIRT include:<br />
<ref name="exabeam"></ref><br />
===Creating and maintaining an incident response plan (IRP)===<br />
An incident response plan (IRP) is a set of written instructions for<br />
detecting, responding to and limiting the effects of an information<br />
security event. Incident response plans provide instructions for<br />
responding to many potential scenarios, including data breaches, denial<br />
of service/distributed denial of service attacks, firewall breaches,<br />
virus or malware outbreaks or insider threats. Without an incident<br />
response plan in place, organizations may either not detect the attack<br />
in the first place, or not follow proper protocol to contain the threat<br />
and recover from it when a breach is detected.<br />
<ref name="stratacore">Stratacore, "Incident Response Plan (IRP)". https://www.stratacore.com/incidentresponseplan [Accessed 28 April 2022].</ref><br />
<br />
===Investigating and analyzing incidents===<br />
CSIRTs are also involved in improvement activities. After major<br />
computer security incidents occur, or when incidents are not handled in<br />
a timely or effective manner, a CSIRT will generally perform a<br />
postmortem of the incident and its response. This postmortem will<br />
identify the strengths and weakness of the response effort. Such reviews<br />
can identify weaknesses and holes in systems, infrastructure defenses,<br />
or policies that allowed the incident to take place. It can also<br />
identify problems with communication channels, interfaces, and<br />
procedures that inhibited the efficient resolution of the reported<br />
problem.<br />
<p>https://www.cisa.gov/uscert/bsi/articles/best-practices/incident-management/defining-computer-security-incident-response-teams</p><br />
<br />
===Managing internal communications and updates during or immediately after incidents occur===<br />
===Communicating with employees, shareholders, customers, and the press about incidents as needed===<br />
<p>There are various services within the CSIRT Services Framework that<br />
address communications, as they relate to security operations and<br />
incident response services. Some of these include Information Security<br />
Incident Coordination, Crisis Management Support, Vulnerability<br />
Disclosure, Situational Awareness Communication, and Awareness Building,<br />
to name a few. Sharing information and communicating with the general<br />
public and/or your constituency is appropriate in many different<br />
scenarios. These can range from proactive communications to reactive<br />
communications. Each scenario may be unique, and careful consideration<br />
should be given to when to release information to the public and what<br />
information should be released.</p><br />
<br />
<p>https://resources.sei.cmu.edu/asset_files/Handbook/2021_002_001_651819.pdf</p><br />
<br />
===Remediating incidents===<br />
Threat remediation is a strong and capable tool for fighting the<br />
cyber security compromises. As the word ‘remedy’ suggests, remediation<br />
process involves the treatment of a security breach. With the<br />
remediation practices, your cyber security team is able to eliminate<br />
suspicious activities and malicious attacks in the form of malware,<br />
ransomware, phishing and such. Even if you ‘kill’ the suspicious<br />
activity, the attackers can remain in your systems. If you want to<br />
contaminate and end the problem for good, your remediation processes<br />
must involve the detection of the cause. <ref name="logsign">Logsign, "What-is-remediation-in-cyber-security". Available: https://www.logsign.com/blog/what-is-remediation-in-cyber-security/. [Accessed 28 Apr 2022].</ref><br />
<br />
===Recommending technology, policy, governance, and training changes after security incidents===<br />
After all these actions, the SCIRT must contribute to the development<br />
of better policies, practices and has to recommend improvements. They<br />
are not working in the vacuum and their work has to create new and<br />
better standards for cyber security. <ref name="exabeam">Exabeam, "CSIRT". Available: https://www.exabeam.com/incident-response/csirt/ [Accessed 28 APr 2022].</ref><br />
<br />
==CERT==<br />
The term “computer emergency response team” was coined in 1988. In<br />
response to the Morris worm attack that impacted thousands of servers on<br />
the Internet, DARPA funded the formation of the Computer Emergency<br />
Response Team Coordination Center (CERT-CC) at Carnegie Mellon<br />
University. The goal of CERT-CC was to help protect the internet by<br />
collecting and disseminating information on critical security<br />
vulnerabilities. Several other countries formed similar centers using<br />
the same acronym (despite threats of legal action by Carnegie Mellon for<br />
trademark infringement). Now the term CERT refers to any emergency<br />
response team that deals with cyber threats. Many people use CERT-CC<br />
interchangeably with CSIRT, though the charter of a CERT is information<br />
sharing in order to help other response teams respond to threats against<br />
their own infrastructure. <ref name="exabeam"></ref><br />
<br />
In general, the designation of CERT is helpful in applying real-world<br />
solutions to various cybersecurity problems. They may be government<br />
contractors or employees of a major corporation. For example, the U.S.<br />
Computer Emergency Readiness Team (US-CERT) operates under the U.S.<br />
Department of Homeland Security.<br />
<ref name="techopedia">Techopedia, "Computer Emergency Response Team (CERT)". Available: https://www.techopedia.com/definition/31003/computer-emergency-response-team-cert. [Accessed 25 April 2022].</ref><br />
<br />
In Estonia CERT is designated as CERT-EE. It was established in 2006,<br />
as an organization responsible for the management of security incidents<br />
in .ee computer networks. It is also a national contact point for<br />
international co-operation in the field of IT security. <ref name="ria">Information System Autority, "CERT-EE". Available: hhttps://www.ria.ee/en/cyber-security/cert-ee.html [Accessed 25 April 2022].</ref><br />
<br />
==Difference between SOC/CSIRT/CERT==<br />
[[File:analystimage3.png|300px|thumb|SOC/CSIRT/CERT <ref name="exabeam></ref>]]<br />
How CSIRTs differ from CERTs and SOCs. There are overlapping<br />
responsibilities between a community emergency response team (CERT),<br />
computer security incident response team (CSIRT), and security<br />
operations center (SOC). To add to this confusion, frequently, the terms<br />
CERT and CSIRT are used interchangeably, despite the important<br />
differences. <ref name="exabeam"></ref><br />
<br />
==Understand the primary roles and characteristics of a CERT, CSIRT, and SOC.==<br />
[[File:analystimage4.png|600px|thumb|Primary Roles of CERT, CSIRT, and SOC<ref name="exabeam></ref>]]<br />
<p>So, using strict definitions, a CERT collects and disseminates<br />
security information, typically for the benefit of a country or an<br />
industry. A CSIRT is a cross-functional team that responds to incidents<br />
on behalf of a country or an organization. A SOC is where a country or<br />
organization monitors and defends its network, servers, applications,<br />
and endpoints. <ref name="exabeam"></ref><br />
<br />
==Future==<br />
<p>And the Cyber security problem is only getting bigger. According to a<br />
report published by Accenture, the number of cyber security breaches<br />
increased by 11 percent from 2017 to 2018. The cost of such breaches is<br />
astronomical–about $600 billion worldwide, according to the Economic<br />
Impact of Cybercrime report.</p><br />
<p>https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me</p><br />
<p>Job projections for cybersecurity are staggering. The Bureau of Labor<br />
Statistics in US predicts that careers in the cybersecurity field will<br />
grow by 32% by 2028. That makes cybersecurity one of the top 10<br />
fastest-growing jobs in the country. In the United States alone, jobs<br />
for Information Security Analysts are expected to grow by 15% by<br />
2024.</p><br />
<p>https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</p><br />
<p>Most likely this trend is also similar in other countries.</p><br />
<p>When checking Estonian job portals, there is a constant need for<br />
people for cyber security related positions. Also, linkedin search gives<br />
approximately 30 vacancies immediately. There are banks, logistics<br />
companies, e-shops, and software producers.</p><br />
<p>https://ee.linkedin.com/jobs/cyber-security-jobs?countryRedirected=1&amp;position=1&amp;pageNum=0</p><br />
<p>Trends that affect companies create need for constant cyber security<br />
services. Increasing number of home/remote offices require secure<br />
corporate networks and security of remote devices. One example is from<br />
this year, when sloppy remote desktop set-up paralyzed systems of 17<br />
companies.</p><br />
<p>https://www.aripaev.ee/uudised/2022/04/20/ria-lohakas-kaugtoolaua-seadistus-halvas-martsis-vahemalt-17-juhul-ettevotete-it-susteemid</p><br />
<p>Also, no service can exists without robust infrastructure - servers,<br />
databases, applications. As all previously mentioned devices and<br />
services are at constant scanning and surveillance. So, the breach<br />
detection and immediate action demands 24/7 services. Even if lot of<br />
things could be automated, there is a need for human specialists (at<br />
least, at the moment). Third growing field is also a forensic<br />
investigation, as every attack must be investigated in order to be ready<br />
to repel next attacks. So data recovery and evidence collection is<br />
another important field of work that need skilled and professional<br />
workers.</p><br />
<p>Even, if the specifics of the entity, be it CSIRT, CERT or SOC, are<br />
different, the fundamentals of the work are the same. Professional<br />
knowledge of the networks, operational systems, hardware, scripting, and<br />
several other wider IT related knowledge is needed. As there is no<br />
single way to reach to it, every single person can find one’s strongest<br />
sides and develop them with knowledge of weaker side, in order to know,<br />
when to as for help.</p><br />
<br />
</body><br />
</html></div>Mavaldhttps://wiki.itcollege.ee/index.php?title=Hiring_a_Cyber_Security_Incident_Analyst&diff=142269Hiring a Cyber Security Incident Analyst2022-05-01T16:05:58Z<p>Mavald: /* CERT */</p>
<hr />
<div>==A Cyber Security Incident Analyst==<br />
<br />
[[File:image1.png|600px|thumb|Job advertisement <ref>"Job Advertisement". Available at https://www.projectpeople.com/jobs/</ref>]]<br />
===Cyber security incident analyst in SOC/CSIRT/CERT===<br />
This article delves into the job title of Cyber Security Incident<br />
Analyst and provides an overview of the acronyms SOC/CSIRT/CERT. A brief<br />
history of the job is discussed here, as well as a possible career path,<br />
education, experience, and other characteristics required for work in<br />
computer security-related organizations. The article also provides a<br />
brief history of SOC/CSIRT/CERT, as well as a comparison of their<br />
differences and similarities.<br />
===Cyber Security Incident Analyst Skill Set===<br />
What skill set is expected from the Cyber Security Incident Analyst? Below written lines are taken from the same job advertisement depicted<br />
on the left side of this article:<br />
As a Security Incident Analyst your responsibilities will include:<br />
<ul><br />
<li>Continuous monitoring of security tooling</li><br />
<li>Performing regular and ad-hoc vulnerability assessments</li><br />
<li>Carrying out ‘spot checks’</li><br />
<li>Reporting vulnerabilities to the PVG via the alerts system</li><br />
<li>Maintaining and documenting logging systems</li><br />
<li>Developing centralized logging, reporting and intelligence<br />
platforms</li><br />
<li>‘Light touch’ penetration testing with open source tooling<br />
(Metasploit)</li><br />
</ul><br />
Knowledge &amp; Experience required:<br />
<ul><br />
<li>SOC, CSIRT or CERT operational environment experience</li><br />
<li>Windows / Linux experience</li><br />
<li>TCP /IP networking protocol knowledge</li><br />
<li>Experience reviewing and analyzing Security Events from various<br />
monitoring and logging sources</li><br />
<li>Experience in website and web application security assessment or<br />
penetration testing</li><br />
<li>Experience of using Metasploit</li><br />
<li>Scripting knowledge using BASH, Python, Perl, Ruby</li><br />
<li>Skills in Host and Network Forensics</li><br />
</ul><br />
As one can see the description of the duties is wide and also the<br />
knowledge and experience that is required is noteworthy. So, where to<br />
start to find out the way to get this kind of knowledge and<br />
expertize.<br />
===Possible career path===<br />
Next part of the paper is aiming to depict a possible ways, how to<br />
develop oneself, and move along the career pathway in cybersecurity<br />
field. Topics of development, education, experience and certification<br />
are covered.<br />
[[File:analystimage2.png|1000px|thumb|Career path <ref>"Possible Career Path". Available at https://www.cyberseek.org/pathway.html</ref>]]<br />
<br />
===Junior/Senior===<br />
Start with an entry-level job in IT. Hands-on experience is often the<br />
most effective way to prepare for certification exams. Start<br />
accumulating work experience with an entry-level role as a cybersecurity<br />
analyst. Many cybersecurity professionals start off in more general IT<br />
roles. The skills, practices, and technologies you’ll use as a<br />
cybersecurity professional will continue to evolve along with computer<br />
and network technology. The desire to learn, ability to problem solve,<br />
and attention to detail will serve you well in this field. Other, more<br />
technical skills and technologies to learn include:<ref name="certification">Popular Cyber Security Certificates [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications [Accessed 25 April 2022].</ref><br />
<br />
====SIEM tools (security information and event management)====<br />
Security Information and Event Management (SIEM) is a set of tools<br />
and services offering a holistic view of an organization’s information<br />
security. SIEM works by combining two technologies:<br />
<li>Security information management (SIM), which collects data from log<br />
files for analysis and reports on security threats and events, and</li><br />
<li>security event management (SEM), which conducts real-time system<br />
monitoring, notifies network admins about important issues and<br />
establishes correlations between security events. There are a number of<br />
security information and event management solutions on the market.<br />
ArcSight ESM, IBM QRadar and Splunk are among the most popular. <ref name="SIEM">Application security, SIEM [Online]. Available: https://www.imperva.com/learn/application-security/siem/. [Accessed 27 4 2022].</ref></li><br />
<br />
====Firewalls, Intrusion Detection Systems (IDS), and Intrusion Prevention Systems(IPS)====<br />
Firewalls can be two types, hardware and software firewalls. Software<br />
firewall is a firewall that is installed on a computer or server, and<br />
tasked with network security. It works with a wide variety of other<br />
technology security solutions to provide more robust and cohesive<br />
security for enterprises of all sizes. When a software firewall is<br />
installed on a server, it opens up like an umbrella of protection over<br />
all other computers connected to the network. It is able to monitor both<br />
incoming and outgoing traffic for potential risk or suspicious user<br />
behavior, and also makes setting security policies much easier, faster<br />
and more flexible. Hardware firewall is positioned between the network<br />
and devices, allowing traffic to funnel through the firewall for a close<br />
inspection and analysis. A hardware firewall, a term often<br />
interchangeable with network or next-generation firewall, protects the<br />
network gateways for an enterprise. Hardware firewall is physical<br />
hardware, installed between network elements and connected devices, and<br />
is tasked with filtering traffic for cyber threat to the network or<br />
devices. Filtering out unauthorized or suspicious users based on traffic<br />
analysis is one of the biggest benefits of hardware firewall. <ref name="sangfor">Sangfor, "What is Software Firewall? Difference between Hardware Firewall and Software Firewall, [Online]. Available: https://www.sangfor.com/blog/cybersecurity/what-is-software-firewall-difference-between-hardware-firewall-and-software-firewall [Accessed 26 4 2022].</ref><br />
<br />
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems<br />
(IPS) are both parts of the network infrastructure. IDS/IPS compare<br />
network packets to a cyberthreat database containing known signatures of<br />
cyberattacks — and flag any matching packets. IDS doesn’t alter the<br />
network packets in any way, whereas IPS prevents the packet from<br />
delivery based on the contents of the packet, much like how a firewall<br />
prevents traffic by IP address. <ref name="Varonis">Varonis, "What is Software Firewall? IDS vs. IPS: What is the Difference?, [Online]. Available: https://www.varonis.com/blog/ids-vs-ips [Accessed 26 4 2022].</ref><br />
<br />
====Digital forensics====<br />
Digital forensics is a branch of forensic science that focuses on<br />
identifying, acquiring, processing, analyzing, and reporting on data<br />
stored electronically. Electronic evidence is a component of almost all<br />
criminal activities and digital forensics support is crucial for law<br />
enforcement investigations. Electronic evidence can be collected from a<br />
wide array of sources, such as computers, smartphones, remote storage,<br />
unmanned aerial systems, shipborne equipment, and more.<ref name="interpol">Interpol, "Digital forensics". Available: https://www.interpol.int/How-we-work/Innovation/Digital-forensics. [Accessed 28 4 2022].</ref> <br />
Investigative process of digital forensics can be divided into several stages. There are four major stages: preservation, collection,<br />
examination, and analysis. All these four stages need a deep understanding of computers, technology across a broad spectrum, and cybersecurity principles and<br />
practices, a working knowledge of computers, networks, and coding, in-depth investigative abilities, critical-thinking skills and analytical talent the ability to effectively communicate and work with a<br />
wide range of people. <ref name="ecpi">"Digital forensics". Available: https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me. [Accessed 26 4 2022].</ref><br />
<br />
====Mobile device management====<br />
Mobile device management (MDM) is software that allows IT<br />
administrators to control, secure and enforce policies on smartphones,<br />
tablets and other endpoints. Mobile device management software emerged<br />
in the early 2000s as a way to control and secure the personal digital<br />
assistants and smartphones that business workers began to use. The<br />
consumer smartphone boom that started with the launch of the Apple<br />
iPhone in 2007 led to the bring your own device (BYOD) trend, which<br />
fueled further interest in MDM.<ref name="techtarget">Techtarget, "Mobile Device Management". Available: https://www.techtarget.com/searchmobilecomputing/definition/mobile-device-management [Accessed 27 4 2022].</ref><br />
<br />
====Data management====<br />
Sometimes the data management is neglected, but this part has a<br />
crucial role when learning for good cyber security practices. Majority<br />
of cyber security programs include a special courses on data management.<br />
Data management is a method of organizing and maintaining data processes<br />
that are required in almost every business operations. The benefits of<br />
data management can be found accounting, statistics, logistics planning<br />
and other disciplines including corporate computing.<ref name="GlobalUni">Global Universities, "MSc Data Management and Cyber Security". Available: https://globaluniversities.in/msc-data-management-cyber-security. [Accessed 26 Apr 2022].</ref><br />
Data governance (and management) play a fundamental role in<br />
protecting an organization’s data. Ensuring that the right people have<br />
the right access and that appropriate security controls are in place to<br />
protect each system or service, based on the criticality or sensitivity<br />
of the data sets these contain. <ref name="CyberMagazine">Cyber Security Magazine, "The Role of Data Governance in Cybersecurity". Available: https://cybersecurity-magazine.com/the-role-of-data-governance-in-cybersecurity/?utm_source=rss&amp;utm_medium=rss&amp;utm_campaign=the-role-of-data-governance-in-cybersecurity. [Accessed 26 Apr 2022].</ref><br />
<br />
====Application security development====<br />
Application security describes security measures at the application<br />
level that aim to prevent data or code within the app from being stolen<br />
or hijacked. It encompasses the security considerations that happen<br />
during application development and design, but it also involves systems<br />
and approaches to protect apps after they get deployed. Application<br />
security may include hardware, software, and procedures that identify or<br />
minimize security vulnerabilities.<ref name="vmware">VmWare, "What is application security?". Available: https://www.vmware.com/topics/glossary/content/application-security.html [Accessed 28 April 2022].</ref><br />
Application security development is important to ensure that your<br />
application is free from coding errors and bugs. And controls the risk<br />
and helps safeguard against security vulnerabilities. Application<br />
security development is the process of making applications more secure<br />
by finding and fixing security vulnerabilities. This is often done by<br />
enforcing software security best practices and using application<br />
security testing tools. <br />
<ref name="perforce">Perforce, "Application Security Development Best Practices". Available: https://www.perforce.com/blog/kw/application-security-development-best-practices. [Accessed 28 April 2022].</ref><br />
<br />
====Audit and compliance knowledge====<br />
A cyber security audit is designed to be a comprehensive review and<br />
analysis of your business’s IT infrastructure. It identifies threats and<br />
vulnerabilities, exposing weaknesses and high-risk practices.<br />
Regulations such as the EU GDPR (General Data Protection Regulation) can<br />
impose hefty penalties in the event of a breach that results in<br />
exploited data. A cyber security audit will help mitigate the<br />
consequences of a breach and demonstrate that your organization has<br />
taken the necessary steps to protect client and company data. <ref name="cyforsecure">Cyfor Secure, "What is a Cyber Security Audit and how can it help your organisation?". Available: https://cyforsecure.co.uk/services/cyber-assessment/cyber-security-audit/. [Accessed 28 April 2022].</ref><br />
<br />
Cybersecurity compliance is the organizational risk management method<br />
aligned with pre-defined security measures &amp; controls on how data<br />
confidentiality is ensured by its administrative procedures.<ref name="nordlayer">NordLayer, "Cybersecurity compliance: Everything you need to know". Available: https://nordlayer.com/blog/cybersecurity-compliance-everything-you-need-to-know/. [Accessed 28 April 2022].</ref><br />
All needed skills are developed through courses and certification.<br />
<br />
===Entry-Level Incident Response Positions===<br />
It is not always possible to advance to the position of incident<br />
responder in a straight line. Many professionals advance from entry- to<br />
mid-level positions before becoming a real incident responder or a<br />
member of a computer emergency response team (CERT).<br /><br />
These are some examples: <ref name="Infosec">Infosec, "Incident Responder Career Roadmap: From Entry Level to Executive". Available: https://resources.infosecinstitute.com/topic/incident-responder-career-roadmap-entry-level-executive/ [Accessed 28 April 2022].</ref></p><br />
<ul><br />
<li><h5 id="network-administrator">Network administrator</h5><br />
<p>This position’s experience will help potential incident responders<br />
develop networking skills. Attention to detail, as well as the ability<br />
to sift through system configurations, site layouts, and general network<br />
and communication setups, are essential in this field.</p></li><br />
<li><h5 id="system-administrator">System administrator</h5><br />
<p>Another crucial beginning point for an incident responder is to learn<br />
how to manage resources inside your organization as well as user<br />
behavior. Understanding the potential damage that users, inadequate<br />
security setups, and ineffective IT policies and procedures can cause on<br />
your network can provide prospective candidates with insight into the<br />
human component of an incident.</p></li><br />
<li><h5 id="security-administrator">Security administrator</h5><br />
<p>In such a position, basic hacking skills, penetration testing, and<br />
intrusion detection are all learned, which are crucial incident<br />
responder skills when trying to replicate a breach or attack.<br />
Understanding the paths a cybercriminal will take when attempting to<br />
damage or obtain access to a system can greatly simplify the work of<br />
reverse engineering the incident.</p></li><br />
</ul><br />
<br />
=== Mid-Level Incident Response Positions ===<br />
<ul><br />
<li><h5<br />
id="computer-security-incident-response-team-csirt-engineer">Computer<br />
security incident response team (CSIRT) engineer</h5></li><br />
<li><h5 id="cyber-incident-responder">Cyber incident responder</h5></li><br />
<li><h5 id="incident-response-engineer">Incident response<br />
engineer</h5></li><br />
</ul><br />
<p>While each of these positions is different, they generally require<br />
very similar skills and characteristics in a candidate. At this level,<br />
personal characteristics such as problem solving, time management, and<br />
even presentation skills become more crucial as one’s career evolves<br />
into a management-facing role.</p><br />
<p>Technical skills include the ability to identify and minimize threats<br />
while maintaining communication with management and the rest of your<br />
team. Data analysis and evidence gathering become increasingly crucial,<br />
and the circumstances in which your services are deployed get more<br />
serious.</p><br />
Problem-solving skills are crucial at this level of incident<br />
response, and as the stakes rise, so does the pressure in each<br />
situation. At this level, programming abilities are essential since<br />
incident responders may be needed to reverse engineer malicious code or<br />
even create patches for vulnerable network applications or services. <ref name="coursera">Coursera, "10 Popular Cybersecurity Certifications [2022 Updated]". Available: https://www.coursera.org/articles/popular-cybersecurity-certifications [Accessed 28 April 2022].</ref><br />
<br />
===Senior-Level Incident Response Positions===<br />
<ul><br />
<li><h5 id="intrusion-detection-specialist">Intrusion detection<br />
specialist:</h5></li><br />
</ul><br />
<p>A CISSP certification might help a potential candidate in preparing<br />
for the profession. The role of an intrusion detection specialist is to<br />
find and stop any unwanted communications.</p><br />
<ul><br />
<li><h5 id="incident-manager">Incident manager:</h5></li><br />
</ul><br />
Expected to plan, oversee, manage, and supervise all incident<br />
response team actions. Is in charge of reporting all current events to<br />
senior management and stakeholders, as well as acting as the technical<br />
lead on active incidents for incident responders. Prepares threat and<br />
impact assessments and reports them known to management.<ref name="coursera"></ref><br />
<br />
==Certificates== <br />
There is a vast number of different certificates and the road map to<br />
being a certified professional could be very different<ref name="Coursera">Coursera, "10 Popular Cybersecurity Certifications [2022 Updated]," [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications. [Accessed 30 Apr 2022].</ref><br />
<ref name="NICCS">NICCS, "Cybersecurity Certifications," [Online]. Available: hhttps://niccs.cisa.gov/about-niccs/cybersecurity-certifications. [Accessed 30 Apr 2022].</ref> . One possible<br />
approach is to start with basic certificates from the different branches<br />
of service and move to more specific and demanding focused<br />
certification. Also, some jobs require certain clearances, either from<br />
industry, or from the government. One small selection of different<br />
possible certificates is brought out in following paragraphs.<br />
<br />
Security+ is a CompTIA certification that is considered a basic cert<br />
among cybersecurity professionals. It covers the topics of risk<br />
management and threat assessment.<br />
Network+ is also offered by CompTIA this certification (like the name<br />
implies) focuses on networking infrastructure and operations. It is<br />
considered a foundational certification.<br />
The Certified Information Systems Security Professional (CISSP) is a<br />
more advanced certification designed for cybersecurity professionals<br />
with at least five years of work experience. The certification covers<br />
topics such as architecture, engineering, and management.</p><br />
The Certified Ethical Hacker (CEH) certification is also considered a<br />
more advanced cert because it generally requires that applicants have<br />
multiple years of work experience. The goal of an ethical hacker<br />
certification is to be able to understand how cyber attacks unfold in<br />
order to improve threat assessment and mitigation skills.<ref name="cyberguide">Cybersecurity Guide, "How to become a cybersecurity specialist", [Online]. Available: https://cybersecurityguide.org/careers/security-specialist/. [Accessed 27 April 2022].</ref><br />
This is definitely not all, when one looks for more information, following link could be searched, to get more in depth knowledge about<br />
different possibilities.<br />
<br />
Hereby, with the help of this matrix a possible taxonomy of different 436 listed certificates in branches are<br />
presented.<ref name="Pauljeremy">"Cybersecurity Roadmap," [Online]. Available: https://pauljerimy.com/2020/10/12/scr-oct-2020-update/. [Accessed 30 Apr 2022].</ref><br />
<br />
[[File:analystimage5.png|1000px|thumb|Certificate matrix <ref>"Certification roadmap". Available at https://pauljerimy.com/security-certification-roadmap</ref>]]<br />
<br />
=== Communication and Network Security===<br />
Communication and network security covers the ability to secure<br />
communication channels and networks. Topics include secure and converges<br />
protocols, wireless networks, cellular networks, hardware operations<br />
(warranty and redundant power), and third-party connectivity. IP<br />
networking are also included in this domain.<br />
===Identity and Access Management===<br />
The identity and access management domain covers the attacks that<br />
target the human gateway to gain access to data. Other topics include<br />
ways to identify users with rights to access the information and<br />
servers. Identity and access management covers the topics of<br />
applications, Single sign-on authentication, privilege escalation,<br />
Kerberos, rule-based or risk-based access control, proofing and<br />
establishment of identity.<br />
===Security Architecture and Engineering===<br />
The security architecture and engineering domain covers important<br />
topics concerning security engineering plans, designs and principles,<br />
Topics include assessing and mitigating information system<br />
vulnerabilities, fundamental concepts of security models and security<br />
architectures in critical areas like access control. Cloud systems,<br />
cryptography, system infiltrations (ransomware, fault-injection and<br />
more) and virtualized systems are also covered in this domain.<br />
===Asset Security===<br />
The Asset Security domain deals with the issues related to the<br />
collection, storage, maintenance, retention and destruction of data. It<br />
also covers knowledge of different roles regarding data handling (owner,<br />
controller and custodian) as well as data protection methods and data<br />
states. Other topics include resource provision, asset classification<br />
and data lifecycle management.<br />
===Security and Risk Management===<br />
The security and risk management domain covers general on skills<br />
related to the implementation of user awareness programs as well as<br />
security procedures. Emphasis is also placed on risk management<br />
concerning the acquisition of new services, hardware and software<br />
(supply chain). Other skills include social engineering defense<br />
mechanisms.<br />
===Security Assessment and Testing===<br />
The security assessment and testing domain deals with all the<br />
techniques and tools used to find system vulnerabilities, weaknesses and<br />
potential areas of concern not addressed by security procedures and<br />
policies. Attack simulations, vulnerability assessment, compliance<br />
checks, and ethical disclosure also fall under this domain.<br />
===Software Security===<br />
The software development security domain deals with implementing<br />
software-based security protocols within environment for which the IT<br />
professional is responsible. Risk analysis, vulnerability identification<br />
and auditing of source codes are all covered in this subset. Additional<br />
topics include software-designed security, maturity models, development<br />
methodologies, open-source and third-party development security.<br />
===Security operations===<br />
The security operations domain covers topics ranging from<br />
investigations and digital forensic to detection and intrusion<br />
prevention tools, sandboxing and firewalls. Topics include user and<br />
entity behavior analytics, threat intelligence (threat hunting and<br />
threat feeds) log management, artifacts (mobile, computer and network),<br />
machine learning and AI-based tools, penetration testing, and<br />
exploitation development. These for sub-domains are lister here.</p><br />
<li>Forensics</li><br />
<li>Incident Handling</li><br />
<li>Penetration Testing</li><br />
<li>Exploitation</li><br />
<br />
==Education==<br />
[[File:Analystimage7.png|400px|thumb|Comparison degree vs Certificate <ref>"Comparison Table". Available at https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</ref>]]<br />
The entry level monitoring specialist is hired by Estonian<br />
Information System Authority even if there is no formal IT education,<br />
but readiness to learn and moderate knowledge of different operation<br />
systems is enough to start the career. <ref name="cv">cv.ee, "SEIRESPETSIALIST - tule Eesti küberruumi valvuriks!". Available: https://www.cv.ee/en/vacancy/792782/riigi-infosusteemi-amet/seirespetsialist-tule-eesti-kuberruumi-valvuriks [Accessed 28 April 2022].</ref><br />
Nevertheless, like most other high qualification careers jobs falling<br />
under the cybersecurity specialist category require some form of formal<br />
education. However, since cybersecurity specialist jobs can fall across<br />
a wide spectrum of job descriptions and responsibilities, it is possible<br />
to obtain a specialist job after completing many levels of different<br />
computer related education.<br />
<br />
If one is looking for a cybersecurity related education, for example<br />
in EU, 137 courses/programs could be found that relate to keyword IT or<br />
cybersecurity. <ref name="enisa">ENISA (European Union Agency for Cybersecurity), "Cybersecurity Education-Cybersecurity Higher Education Database". Available: https://www.enisa.europa.eu/topics/cybersecurity-education/education-map/education-courses [Accessed 26 April 2022].</ref><br />
<br />
Also, there is a great amount of discussion, if cyber security<br />
professional should have a degree or would be certification just enough.<br />
One interesting table is produces by Franklin University that compares<br />
benefits and/or drawbacks of each type of credential.<ref name="franklin">Franklin University, "Is Getting a Master's Degree in Cyber Security Worth It?". Available: https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it [Accessed 28 April 2022].</ref><br />
<br />
Certifications are generally good for people with little practical<br />
experience because they are known quantities in the industry and can<br />
help you get your foot in the door. They set a minimum knowledge bar.<br />
But some certifications are viewed more favorably than others.<br />
Certifications with renewal requirements are viewed better by hiring<br />
managers, but they also more costly in the long run because of the need<br />
for continuing education. Certifications are also good for showing<br />
in-depth expertise in a specialization within cybersecurity. Depending<br />
on your career goals, it may be advantageous to have a master’s<br />
degree—which shows your breadth of knowledge, critical thinking and<br />
leadership skills—and a certificate—which shows specific skill<br />
competency.<ref name="franklin"></ref><br />
As IT (Cyber) Security is still a relatively young discipline,<br />
universities and colleges are still figuring out which is the best<br />
approach for their degrees. Study programmes and curricula in Cyber<br />
Security are different. In general, here are the duration of Cyber<br />
Security degrees:<br />
<ref name="studyportal">Studyportals, "Why You Should Study a Cyber Security Degree in 2022". Available: https://www.mastersportal.com/articles/2722/why-you-should-study-a-cyber-security-degree-in-2022.html [Accessed 28 April 2022].</ref><br />
<ul><br />
<li><p>Bachelor’s degrees in Cyber Security take 3 or 4 years in most<br />
countries.</p></li><br />
<li><p>Master’s courses in Cyber Security take between 1-2 years to<br />
complete.</p></li><br />
<li><p>PhD programmes in Cyber Security last 3-5 years. Some only take 1<br />
or 2 years, but they are less common.</p><br />
</li><br />
</ul><br />
<br />
Generalization could me made that on bachelor level the general<br />
knowledge about the cyber issues are obtained. On master level the<br />
specialization courses are taken and the person can choose more specific<br />
topics to study. It is on master level where strengths of the cyber<br />
specialist can be developed further and up-do date knowledge obtained in<br />
specifics. PhD is serious science and involves teaching, lot of<br />
scientific work and writing for publications.<br />
<br />
==Salary==<br />
<p>Even if the salary can be very different, compared to the skills and<br />
experience, an generalization can be made. Cyber Security professionals<br />
in CSIRT, and in other entities earn quite well, from the start. First,<br />
some comparison from the United States. The average CSIRT analyst salary<br />
in the USA is $97,500 per year or $50 per hour. Entry level positions<br />
start at $48,875 per year while most experienced workers make up to<br />
$135,373 per year.<ref name="talent">talent.com, "Csirt Analyst average salary in USA 2022". Available: https://www.talent.com/salary?job=csirt+analyst [Accessed 28 April 2022].</ref><br />
<br />
There are multiple positions you can occupy in this field. They have<br />
in common great salaries and high demand for technical skills, attention<br />
to details, problem-solving mentality, and the ability to analyze risks.<br />
Here are the average annual salaries in the United States, according to<br />
Payscale: <ref name="studyportal"></ref><br />
<ul><br />
<li><p>Cryptographer – 100,000 USD</p></li><br />
<li><p>Information Security Officer – 91,000 USD</p></li><br />
<li><p>Security Assessor – 90,000 USD</p></li><br />
<li><p>Security Engineer – 88,000 USD</p></li><br />
<li><p>Penetration Tester – 81,000 USD</p></li><br />
<li><p>Forensics Expert – 71,000 USD</p></li><br />
<li><p>Security Administrator – 65,000 USD</p><br />
</ul><br />
When looking into salaries in Estonia, one can find that there is a<br />
discussion that private sector is taking a toll from the public sector,<br />
and that the salaries in important agencies, as Information System<br />
Authority loose their employees to the better paid positions in private<br />
sector.<ref name="digigeenius">DiGi Geenius, "Kui-palju-riigi-jaoks-olulised-it-tootajad-tegelikult-palka-saavad". Available: https://digi.geenius.ee/rubriik/uudis/kui-palju-riigi-jaoks-olulised-it-tootajad-tegelikult-palka-saavad/ [Accessed 28 April 2022].</ref><br />
<ref name="tehnika">Postimees, "Riigi-it-tootajate-palgamaarad-kasvasid". Available: https://tehnika.postimees.ee/6887428/riigi-it-tootajate-palgamaarad-kasvasid [Accessed 28 April 2022].</ref><br />
But there is also a different view that average private sector worker<br />
could be hired as a top specialist in public sector and then the payment<br />
is higher. Nevertheless, it seems that the average payment in cyber<br />
security sector is any way higher that in other parts of the<br />
e-services. <ref name="digigeenius2">DiGi Geenius, "5000-eurostest-palkadest-it-tootajad-saavadki-palju-palka". Available: https://digi.geenius.ee/rubriik/uudis/5000-eurostest-palkadest-it-tootajad-saavadki-palju-palka [Accessed 28 April 2022].</ref><br />
<br />
==SOC==<br />
<p>A SOC is a facility where an organization’s network, applications,<br />
and endpoints are monitored and defended. The term was adapted from<br />
network operations centers (NOCs), where large telecommunication or<br />
corporate networks are monitored. When network security became more of a<br />
concern, security teams were formed within the NOCs, and eventually spun<br />
off into larger organizations of their own as the responsibilities of<br />
security teams grew increasingly complex and specialized. The security<br />
staff working in a security operations center are often called the SOC<br />
team.<ref name="exabeam">Exabeam, "CSIRT". Available: https://www.exabeam.com/incident-response/csirt/ [Accessed 28 APr 2022].</ref><br />
<br />
<p>Functions of the SOC team include, but are not limited to:<ref name="trellix">Trellix, "What Is a Security Operations Center (SOC)?". Available: https://www.trellix.com/en-us/security-awareness/operations/what-is-soc.html [Accessed 30 APr 2022].</ref></p><br />
<ol type="1"><br />
<li>Taking inventory of resources, to get a better understanding of the<br />
structure they are protecting.</li><br />
<li>Maintanence of the system, by constantly making updates and adding<br />
safeguards.</li><br />
<li>Monitoring the network for abnormalities with special tools.</li><br />
<li>Threat analysis of new attacks and vulnerabilities.</li><br />
<li>Responding to attacks, by acting as “first responders”. The SOC team<br />
will shut down and/or isolate endpoints, deleting files and lowering the<br />
impact as fast as possible.</li><br />
<li>Recovery of system stability and lost data. This may be done using<br />
backups, restarting endpoints or reconfiguring systems.</li><br />
<li>Logging all actions on the system, to be later used for analysis or<br />
forensics after an attack.</li><br />
<li>Investigating the root cause of an attack.</li><br />
<li>Auditing their own actions, to be in line with regulations of the<br />
organization, industry or governing body.</li><br />
</ol><br />
<br />
==CSIRT==<br />
<p>A CSIRT is a group that responds to security incidents when they<br />
occur. Key responsibilities of a CSIRT include:<br />
<ref name="exabeam"></ref><br />
===Creating and maintaining an incident response plan (IRP)===<br />
An incident response plan (IRP) is a set of written instructions for<br />
detecting, responding to and limiting the effects of an information<br />
security event. Incident response plans provide instructions for<br />
responding to many potential scenarios, including data breaches, denial<br />
of service/distributed denial of service attacks, firewall breaches,<br />
virus or malware outbreaks or insider threats. Without an incident<br />
response plan in place, organizations may either not detect the attack<br />
in the first place, or not follow proper protocol to contain the threat<br />
and recover from it when a breach is detected.<br />
<br />
https://www.stratacore.com/incidentresponseplan<br />
===Investigating and analyzing incidents===<br />
CSIRTs are also involved in improvement activities. After major<br />
computer security incidents occur, or when incidents are not handled in<br />
a timely or effective manner, a CSIRT will generally perform a<br />
postmortem of the incident and its response. This postmortem will<br />
identify the strengths and weakness of the response effort. Such reviews<br />
can identify weaknesses and holes in systems, infrastructure defenses,<br />
or policies that allowed the incident to take place. It can also<br />
identify problems with communication channels, interfaces, and<br />
procedures that inhibited the efficient resolution of the reported<br />
problem.<br />
<p>https://www.cisa.gov/uscert/bsi/articles/best-practices/incident-management/defining-computer-security-incident-response-teams</p><br />
<br />
===Managing internal communications and updates during or immediately after incidents occur===<br />
===Communicating with employees, shareholders, customers, and the press about incidents as needed===<br />
<p>There are various services within the CSIRT Services Framework that<br />
address communications, as they relate to security operations and<br />
incident response services. Some of these include Information Security<br />
Incident Coordination, Crisis Management Support, Vulnerability<br />
Disclosure, Situational Awareness Communication, and Awareness Building,<br />
to name a few. Sharing information and communicating with the general<br />
public and/or your constituency is appropriate in many different<br />
scenarios. These can range from proactive communications to reactive<br />
communications. Each scenario may be unique, and careful consideration<br />
should be given to when to release information to the public and what<br />
information should be released.</p><br />
<br />
<p>https://resources.sei.cmu.edu/asset_files/Handbook/2021_002_001_651819.pdf</p><br />
<br />
===Remediating incidents===<br />
Threat remediation is a strong and capable tool for fighting the<br />
cyber security compromises. As the word ‘remedy’ suggests, remediation<br />
process involves the treatment of a security breach. With the<br />
remediation practices, your cyber security team is able to eliminate<br />
suspicious activities and malicious attacks in the form of malware,<br />
ransomware, phishing and such. Even if you ‘kill’ the suspicious<br />
activity, the attackers can remain in your systems. If you want to<br />
contaminate and end the problem for good, your remediation processes<br />
must involve the detection of the cause. <ref name="logsign">Logsign, "What-is-remediation-in-cyber-security". Available: https://www.logsign.com/blog/what-is-remediation-in-cyber-security/. [Accessed 28 Apr 2022].</ref><br />
<br />
===Recommending technology, policy, governance, and training changes after security incidents===<br />
After all these actions, the SCIRT must contribute to the development<br />
of better policies, practices and has to recommend improvements. They<br />
are not working in the vacuum and their work has to create new and<br />
better standards for cyber security. <ref name="exabeam">Exabeam, "CSIRT". Available: https://www.exabeam.com/incident-response/csirt/ [Accessed 28 APr 2022].</ref><br />
<br />
==CERT==<br />
The term “computer emergency response team” was coined in 1988. In<br />
response to the Morris worm attack that impacted thousands of servers on<br />
the Internet, DARPA funded the formation of the Computer Emergency<br />
Response Team Coordination Center (CERT-CC) at Carnegie Mellon<br />
University. The goal of CERT-CC was to help protect the internet by<br />
collecting and disseminating information on critical security<br />
vulnerabilities. Several other countries formed similar centers using<br />
the same acronym (despite threats of legal action by Carnegie Mellon for<br />
trademark infringement). Now the term CERT refers to any emergency<br />
response team that deals with cyber threats. Many people use CERT-CC<br />
interchangeably with CSIRT, though the charter of a CERT is information<br />
sharing in order to help other response teams respond to threats against<br />
their own infrastructure. <ref name="exabeam"></ref><br />
<br />
In general, the designation of CERT is helpful in applying real-world<br />
solutions to various cybersecurity problems. They may be government<br />
contractors or employees of a major corporation. For example, the U.S.<br />
Computer Emergency Readiness Team (US-CERT) operates under the U.S.<br />
Department of Homeland Security.<br />
<ref name="techopedia">Techopedia, "Computer Emergency Response Team (CERT)". Available: https://www.techopedia.com/definition/31003/computer-emergency-response-team-cert. [Accessed 25 April 2022].</ref><br />
<br />
In Estonia CERT is designated as CERT-EE. It was established in 2006,<br />
as an organization responsible for the management of security incidents<br />
in .ee computer networks. It is also a national contact point for<br />
international co-operation in the field of IT security. <ref name="ria">Information System Autority, "CERT-EE". Available: hhttps://www.ria.ee/en/cyber-security/cert-ee.html [Accessed 25 April 2022].</ref><br />
<br />
==Difference between SOC/CSIRT/CERT==<br />
[[File:analystimage3.png|300px|thumb|SOC/CSIRT/CERT <ref name="exabeam></ref>]]<br />
How CSIRTs differ from CERTs and SOCs. There are overlapping<br />
responsibilities between a community emergency response team (CERT),<br />
computer security incident response team (CSIRT), and security<br />
operations center (SOC). To add to this confusion, frequently, the terms<br />
CERT and CSIRT are used interchangeably, despite the important<br />
differences. <ref name="exabeam"></ref><br />
<br />
==Understand the primary roles and characteristics of a CERT, CSIRT, and SOC.==<br />
[[File:analystimage4.png|600px|thumb|Primary Roles of CERT, CSIRT, and SOC<ref name="exabeam></ref>]]<br />
<p>So, using strict definitions, a CERT collects and disseminates<br />
security information, typically for the benefit of a country or an<br />
industry. A CSIRT is a cross-functional team that responds to incidents<br />
on behalf of a country or an organization. A SOC is where a country or<br />
organization monitors and defends its network, servers, applications,<br />
and endpoints. <ref name="exabeam"></ref><br />
<br />
==Future==<br />
<p>And the Cyber security problem is only getting bigger. According to a<br />
report published by Accenture, the number of cyber security breaches<br />
increased by 11 percent from 2017 to 2018. The cost of such breaches is<br />
astronomical–about $600 billion worldwide, according to the Economic<br />
Impact of Cybercrime report.</p><br />
<p>https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me</p><br />
<p>Job projections for cybersecurity are staggering. The Bureau of Labor<br />
Statistics in US predicts that careers in the cybersecurity field will<br />
grow by 32% by 2028. That makes cybersecurity one of the top 10<br />
fastest-growing jobs in the country. In the United States alone, jobs<br />
for Information Security Analysts are expected to grow by 15% by<br />
2024.</p><br />
<p>https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</p><br />
<p>Most likely this trend is also similar in other countries.</p><br />
<p>When checking Estonian job portals, there is a constant need for<br />
people for cyber security related positions. Also, linkedin search gives<br />
approximately 30 vacancies immediately. There are banks, logistics<br />
companies, e-shops, and software producers.</p><br />
<p>https://ee.linkedin.com/jobs/cyber-security-jobs?countryRedirected=1&amp;position=1&amp;pageNum=0</p><br />
<p>Trends that affect companies create need for constant cyber security<br />
services. Increasing number of home/remote offices require secure<br />
corporate networks and security of remote devices. One example is from<br />
this year, when sloppy remote desktop set-up paralyzed systems of 17<br />
companies.</p><br />
<p>https://www.aripaev.ee/uudised/2022/04/20/ria-lohakas-kaugtoolaua-seadistus-halvas-martsis-vahemalt-17-juhul-ettevotete-it-susteemid</p><br />
<p>Also, no service can exists without robust infrastructure - servers,<br />
databases, applications. As all previously mentioned devices and<br />
services are at constant scanning and surveillance. So, the breach<br />
detection and immediate action demands 24/7 services. Even if lot of<br />
things could be automated, there is a need for human specialists (at<br />
least, at the moment). Third growing field is also a forensic<br />
investigation, as every attack must be investigated in order to be ready<br />
to repel next attacks. So data recovery and evidence collection is<br />
another important field of work that need skilled and professional<br />
workers.</p><br />
<p>Even, if the specifics of the entity, be it CSIRT, CERT or SOC, are<br />
different, the fundamentals of the work are the same. Professional<br />
knowledge of the networks, operational systems, hardware, scripting, and<br />
several other wider IT related knowledge is needed. As there is no<br />
single way to reach to it, every single person can find one’s strongest<br />
sides and develop them with knowledge of weaker side, in order to know,<br />
when to as for help.</p><br />
<br />
</body><br />
</html></div>Mavaldhttps://wiki.itcollege.ee/index.php?title=Hiring_a_Cyber_Security_Incident_Analyst&diff=142256Hiring a Cyber Security Incident Analyst2022-05-01T16:01:07Z<p>Mavald: /* Understand the primary roles and characteristics of a CERT, CSIRT, and SOC. */</p>
<hr />
<div>==A Cyber Security Incident Analyst==<br />
<br />
[[File:image1.png|600px|thumb|Job advertisement <ref>"Job Advertisement". Available at https://www.projectpeople.com/jobs/</ref>]]<br />
===Cyber security incident analyst in SOC/CSIRT/CERT===<br />
This article delves into the job title of Cyber Security Incident<br />
Analyst and provides an overview of the acronyms SOC/CSIRT/CERT. A brief<br />
history of the job is discussed here, as well as a possible career path,<br />
education, experience, and other characteristics required for work in<br />
computer security-related organizations. The article also provides a<br />
brief history of SOC/CSIRT/CERT, as well as a comparison of their<br />
differences and similarities.<br />
===Cyber Security Incident Analyst Skill Set===<br />
What skill set is expected from the Cyber Security Incident Analyst? Below written lines are taken from the same job advertisement depicted<br />
on the left side of this article:<br />
As a Security Incident Analyst your responsibilities will include:<br />
<ul><br />
<li>Continuous monitoring of security tooling</li><br />
<li>Performing regular and ad-hoc vulnerability assessments</li><br />
<li>Carrying out ‘spot checks’</li><br />
<li>Reporting vulnerabilities to the PVG via the alerts system</li><br />
<li>Maintaining and documenting logging systems</li><br />
<li>Developing centralized logging, reporting and intelligence<br />
platforms</li><br />
<li>‘Light touch’ penetration testing with open source tooling<br />
(Metasploit)</li><br />
</ul><br />
Knowledge &amp; Experience required:<br />
<ul><br />
<li>SOC, CSIRT or CERT operational environment experience</li><br />
<li>Windows / Linux experience</li><br />
<li>TCP /IP networking protocol knowledge</li><br />
<li>Experience reviewing and analyzing Security Events from various<br />
monitoring and logging sources</li><br />
<li>Experience in website and web application security assessment or<br />
penetration testing</li><br />
<li>Experience of using Metasploit</li><br />
<li>Scripting knowledge using BASH, Python, Perl, Ruby</li><br />
<li>Skills in Host and Network Forensics</li><br />
</ul><br />
As one can see the description of the duties is wide and also the<br />
knowledge and experience that is required is noteworthy. So, where to<br />
start to find out the way to get this kind of knowledge and<br />
expertize.<br />
===Possible career path===<br />
Next part of the paper is aiming to depict a possible ways, how to<br />
develop oneself, and move along the career pathway in cybersecurity<br />
field. Topics of development, education, experience and certification<br />
are covered.<br />
[[File:analystimage2.png|1000px|thumb|Career path <ref>"Possible Career Path". Available at https://www.cyberseek.org/pathway.html</ref>]]<br />
<br />
===Junior/Senior===<br />
Start with an entry-level job in IT. Hands-on experience is often the<br />
most effective way to prepare for certification exams. Start<br />
accumulating work experience with an entry-level role as a cybersecurity<br />
analyst. Many cybersecurity professionals start off in more general IT<br />
roles. The skills, practices, and technologies you’ll use as a<br />
cybersecurity professional will continue to evolve along with computer<br />
and network technology. The desire to learn, ability to problem solve,<br />
and attention to detail will serve you well in this field. Other, more<br />
technical skills and technologies to learn include:<ref name="certification">Popular Cyber Security Certificates [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications [Accessed 25 April 2022].</ref><br />
<br />
====SIEM tools (security information and event management)====<br />
Security Information and Event Management (SIEM) is a set of tools<br />
and services offering a holistic view of an organization’s information<br />
security. SIEM works by combining two technologies:<br />
<li>Security information management (SIM), which collects data from log<br />
files for analysis and reports on security threats and events, and</li><br />
<li>security event management (SEM), which conducts real-time system<br />
monitoring, notifies network admins about important issues and<br />
establishes correlations between security events. There are a number of<br />
security information and event management solutions on the market.<br />
ArcSight ESM, IBM QRadar and Splunk are among the most popular. <ref name="SIEM">Application security, SIEM [Online]. Available: https://www.imperva.com/learn/application-security/siem/. [Accessed 27 4 2022].</ref></li><br />
<br />
====Firewalls, Intrusion Detection Systems (IDS), and Intrusion Prevention Systems(IPS)====<br />
Firewalls can be two types, hardware and software firewalls. Software<br />
firewall is a firewall that is installed on a computer or server, and<br />
tasked with network security. It works with a wide variety of other<br />
technology security solutions to provide more robust and cohesive<br />
security for enterprises of all sizes. When a software firewall is<br />
installed on a server, it opens up like an umbrella of protection over<br />
all other computers connected to the network. It is able to monitor both<br />
incoming and outgoing traffic for potential risk or suspicious user<br />
behavior, and also makes setting security policies much easier, faster<br />
and more flexible. Hardware firewall is positioned between the network<br />
and devices, allowing traffic to funnel through the firewall for a close<br />
inspection and analysis. A hardware firewall, a term often<br />
interchangeable with network or next-generation firewall, protects the<br />
network gateways for an enterprise. Hardware firewall is physical<br />
hardware, installed between network elements and connected devices, and<br />
is tasked with filtering traffic for cyber threat to the network or<br />
devices. Filtering out unauthorized or suspicious users based on traffic<br />
analysis is one of the biggest benefits of hardware firewall. <ref name="sangfor">Sangfor, "What is Software Firewall? Difference between Hardware Firewall and Software Firewall, [Online]. Available: https://www.sangfor.com/blog/cybersecurity/what-is-software-firewall-difference-between-hardware-firewall-and-software-firewall [Accessed 26 4 2022].</ref><br />
<br />
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems<br />
(IPS) are both parts of the network infrastructure. IDS/IPS compare<br />
network packets to a cyberthreat database containing known signatures of<br />
cyberattacks — and flag any matching packets. IDS doesn’t alter the<br />
network packets in any way, whereas IPS prevents the packet from<br />
delivery based on the contents of the packet, much like how a firewall<br />
prevents traffic by IP address. <ref name="Varonis">Varonis, "What is Software Firewall? IDS vs. IPS: What is the Difference?, [Online]. Available: https://www.varonis.com/blog/ids-vs-ips [Accessed 26 4 2022].</ref><br />
<br />
====Digital forensics====<br />
Digital forensics is a branch of forensic science that focuses on<br />
identifying, acquiring, processing, analyzing, and reporting on data<br />
stored electronically. Electronic evidence is a component of almost all<br />
criminal activities and digital forensics support is crucial for law<br />
enforcement investigations. Electronic evidence can be collected from a<br />
wide array of sources, such as computers, smartphones, remote storage,<br />
unmanned aerial systems, shipborne equipment, and more.<ref name="interpol">Interpol, "Digital forensics". Available: https://www.interpol.int/How-we-work/Innovation/Digital-forensics. [Accessed 28 4 2022].</ref> <br />
Investigative process of digital forensics can be divided into several stages. There are four major stages: preservation, collection,<br />
examination, and analysis. All these four stages need a deep understanding of computers, technology across a broad spectrum, and cybersecurity principles and<br />
practices, a working knowledge of computers, networks, and coding, in-depth investigative abilities, critical-thinking skills and analytical talent the ability to effectively communicate and work with a<br />
wide range of people. <ref name="ecpi">"Digital forensics". Available: https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me. [Accessed 26 4 2022].</ref><br />
<br />
====Mobile device management====<br />
Mobile device management (MDM) is software that allows IT<br />
administrators to control, secure and enforce policies on smartphones,<br />
tablets and other endpoints. Mobile device management software emerged<br />
in the early 2000s as a way to control and secure the personal digital<br />
assistants and smartphones that business workers began to use. The<br />
consumer smartphone boom that started with the launch of the Apple<br />
iPhone in 2007 led to the bring your own device (BYOD) trend, which<br />
fueled further interest in MDM.<ref name="techtarget">Techtarget, "Mobile Device Management". Available: https://www.techtarget.com/searchmobilecomputing/definition/mobile-device-management [Accessed 27 4 2022].</ref><br />
<br />
====Data management====<br />
Sometimes the data management is neglected, but this part has a<br />
crucial role when learning for good cyber security practices. Majority<br />
of cyber security programs include a special courses on data management.<br />
Data management is a method of organizing and maintaining data processes<br />
that are required in almost every business operations. The benefits of<br />
data management can be found accounting, statistics, logistics planning<br />
and other disciplines including corporate computing.<ref name="GlobalUni">Global Universities, "MSc Data Management and Cyber Security". Available: https://globaluniversities.in/msc-data-management-cyber-security. [Accessed 26 Apr 2022].</ref><br />
Data governance (and management) play a fundamental role in<br />
protecting an organization’s data. Ensuring that the right people have<br />
the right access and that appropriate security controls are in place to<br />
protect each system or service, based on the criticality or sensitivity<br />
of the data sets these contain. <ref name="CyberMagazine">Cyber Security Magazine, "The Role of Data Governance in Cybersecurity". Available: https://cybersecurity-magazine.com/the-role-of-data-governance-in-cybersecurity/?utm_source=rss&amp;utm_medium=rss&amp;utm_campaign=the-role-of-data-governance-in-cybersecurity. [Accessed 26 Apr 2022].</ref><br />
<br />
====Application security development====<br />
Application security describes security measures at the application<br />
level that aim to prevent data or code within the app from being stolen<br />
or hijacked. It encompasses the security considerations that happen<br />
during application development and design, but it also involves systems<br />
and approaches to protect apps after they get deployed. Application<br />
security may include hardware, software, and procedures that identify or<br />
minimize security vulnerabilities.<ref name="vmware">VmWare, "What is application security?". Available: https://www.vmware.com/topics/glossary/content/application-security.html [Accessed 28 April 2022].</ref><br />
Application security development is important to ensure that your<br />
application is free from coding errors and bugs. And controls the risk<br />
and helps safeguard against security vulnerabilities. Application<br />
security development is the process of making applications more secure<br />
by finding and fixing security vulnerabilities. This is often done by<br />
enforcing software security best practices and using application<br />
security testing tools. <br />
<ref name="perforce">Perforce, "Application Security Development Best Practices". Available: https://www.perforce.com/blog/kw/application-security-development-best-practices. [Accessed 28 April 2022].</ref><br />
<br />
====Audit and compliance knowledge====<br />
A cyber security audit is designed to be a comprehensive review and<br />
analysis of your business’s IT infrastructure. It identifies threats and<br />
vulnerabilities, exposing weaknesses and high-risk practices.<br />
Regulations such as the EU GDPR (General Data Protection Regulation) can<br />
impose hefty penalties in the event of a breach that results in<br />
exploited data. A cyber security audit will help mitigate the<br />
consequences of a breach and demonstrate that your organization has<br />
taken the necessary steps to protect client and company data. <ref name="cyforsecure">Cyfor Secure, "What is a Cyber Security Audit and how can it help your organisation?". Available: https://cyforsecure.co.uk/services/cyber-assessment/cyber-security-audit/. [Accessed 28 April 2022].</ref><br />
<br />
Cybersecurity compliance is the organizational risk management method<br />
aligned with pre-defined security measures &amp; controls on how data<br />
confidentiality is ensured by its administrative procedures.<ref name="nordlayer">NordLayer, "Cybersecurity compliance: Everything you need to know". Available: https://nordlayer.com/blog/cybersecurity-compliance-everything-you-need-to-know/. [Accessed 28 April 2022].</ref><br />
All needed skills are developed through courses and certification.<br />
<br />
===Entry-Level Incident Response Positions===<br />
It is not always possible to advance to the position of incident<br />
responder in a straight line. Many professionals advance from entry- to<br />
mid-level positions before becoming a real incident responder or a<br />
member of a computer emergency response team (CERT).<br /><br />
These are some examples: <ref name="Infosec">Infosec, "Incident Responder Career Roadmap: From Entry Level to Executive". Available: https://resources.infosecinstitute.com/topic/incident-responder-career-roadmap-entry-level-executive/ [Accessed 28 April 2022].</ref></p><br />
<ul><br />
<li><h5 id="network-administrator">Network administrator</h5><br />
<p>This position’s experience will help potential incident responders<br />
develop networking skills. Attention to detail, as well as the ability<br />
to sift through system configurations, site layouts, and general network<br />
and communication setups, are essential in this field.</p></li><br />
<li><h5 id="system-administrator">System administrator</h5><br />
<p>Another crucial beginning point for an incident responder is to learn<br />
how to manage resources inside your organization as well as user<br />
behavior. Understanding the potential damage that users, inadequate<br />
security setups, and ineffective IT policies and procedures can cause on<br />
your network can provide prospective candidates with insight into the<br />
human component of an incident.</p></li><br />
<li><h5 id="security-administrator">Security administrator</h5><br />
<p>In such a position, basic hacking skills, penetration testing, and<br />
intrusion detection are all learned, which are crucial incident<br />
responder skills when trying to replicate a breach or attack.<br />
Understanding the paths a cybercriminal will take when attempting to<br />
damage or obtain access to a system can greatly simplify the work of<br />
reverse engineering the incident.</p></li><br />
</ul><br />
<br />
=== Mid-Level Incident Response Positions ===<br />
<ul><br />
<li><h5<br />
id="computer-security-incident-response-team-csirt-engineer">Computer<br />
security incident response team (CSIRT) engineer</h5></li><br />
<li><h5 id="cyber-incident-responder">Cyber incident responder</h5></li><br />
<li><h5 id="incident-response-engineer">Incident response<br />
engineer</h5></li><br />
</ul><br />
<p>While each of these positions is different, they generally require<br />
very similar skills and characteristics in a candidate. At this level,<br />
personal characteristics such as problem solving, time management, and<br />
even presentation skills become more crucial as one’s career evolves<br />
into a management-facing role.</p><br />
<p>Technical skills include the ability to identify and minimize threats<br />
while maintaining communication with management and the rest of your<br />
team. Data analysis and evidence gathering become increasingly crucial,<br />
and the circumstances in which your services are deployed get more<br />
serious.</p><br />
Problem-solving skills are crucial at this level of incident<br />
response, and as the stakes rise, so does the pressure in each<br />
situation. At this level, programming abilities are essential since<br />
incident responders may be needed to reverse engineer malicious code or<br />
even create patches for vulnerable network applications or services. <ref name="coursera">Coursera, "10 Popular Cybersecurity Certifications [2022 Updated]". Available: https://www.coursera.org/articles/popular-cybersecurity-certifications [Accessed 28 April 2022].</ref><br />
<br />
===Senior-Level Incident Response Positions===<br />
<ul><br />
<li><h5 id="intrusion-detection-specialist">Intrusion detection<br />
specialist:</h5></li><br />
</ul><br />
<p>A CISSP certification might help a potential candidate in preparing<br />
for the profession. The role of an intrusion detection specialist is to<br />
find and stop any unwanted communications.</p><br />
<ul><br />
<li><h5 id="incident-manager">Incident manager:</h5></li><br />
</ul><br />
Expected to plan, oversee, manage, and supervise all incident<br />
response team actions. Is in charge of reporting all current events to<br />
senior management and stakeholders, as well as acting as the technical<br />
lead on active incidents for incident responders. Prepares threat and<br />
impact assessments and reports them known to management.<ref name="coursera"></ref><br />
<br />
==Certificates== <br />
There is a vast number of different certificates and the road map to<br />
being a certified professional could be very different<ref name="Coursera">Coursera, "10 Popular Cybersecurity Certifications [2022 Updated]," [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications. [Accessed 30 Apr 2022].</ref><br />
<ref name="NICCS">NICCS, "Cybersecurity Certifications," [Online]. Available: hhttps://niccs.cisa.gov/about-niccs/cybersecurity-certifications. [Accessed 30 Apr 2022].</ref> . One possible<br />
approach is to start with basic certificates from the different branches<br />
of service and move to more specific and demanding focused<br />
certification. Also, some jobs require certain clearances, either from<br />
industry, or from the government. One small selection of different<br />
possible certificates is brought out in following paragraphs.<br />
<br />
Security+ is a CompTIA certification that is considered a basic cert<br />
among cybersecurity professionals. It covers the topics of risk<br />
management and threat assessment.<br />
Network+ is also offered by CompTIA this certification (like the name<br />
implies) focuses on networking infrastructure and operations. It is<br />
considered a foundational certification.<br />
The Certified Information Systems Security Professional (CISSP) is a<br />
more advanced certification designed for cybersecurity professionals<br />
with at least five years of work experience. The certification covers<br />
topics such as architecture, engineering, and management.</p><br />
The Certified Ethical Hacker (CEH) certification is also considered a<br />
more advanced cert because it generally requires that applicants have<br />
multiple years of work experience. The goal of an ethical hacker<br />
certification is to be able to understand how cyber attacks unfold in<br />
order to improve threat assessment and mitigation skills.<ref name="cyberguide">Cybersecurity Guide, "How to become a cybersecurity specialist", [Online]. Available: https://cybersecurityguide.org/careers/security-specialist/. [Accessed 27 April 2022].</ref><br />
This is definitely not all, when one looks for more information, following link could be searched, to get more in depth knowledge about<br />
different possibilities.<br />
<br />
Hereby, with the help of this matrix a possible taxonomy of different 436 listed certificates in branches are<br />
presented.<ref name="Pauljeremy">"Cybersecurity Roadmap," [Online]. Available: https://pauljerimy.com/2020/10/12/scr-oct-2020-update/. [Accessed 30 Apr 2022].</ref><br />
<br />
[[File:analystimage5.png|1000px|thumb|Certificate matrix <ref>"Certification roadmap". Available at https://pauljerimy.com/security-certification-roadmap</ref>]]<br />
<br />
=== Communication and Network Security===<br />
Communication and network security covers the ability to secure<br />
communication channels and networks. Topics include secure and converges<br />
protocols, wireless networks, cellular networks, hardware operations<br />
(warranty and redundant power), and third-party connectivity. IP<br />
networking are also included in this domain.<br />
===Identity and Access Management===<br />
The identity and access management domain covers the attacks that<br />
target the human gateway to gain access to data. Other topics include<br />
ways to identify users with rights to access the information and<br />
servers. Identity and access management covers the topics of<br />
applications, Single sign-on authentication, privilege escalation,<br />
Kerberos, rule-based or risk-based access control, proofing and<br />
establishment of identity.<br />
===Security Architecture and Engineering===<br />
The security architecture and engineering domain covers important<br />
topics concerning security engineering plans, designs and principles,<br />
Topics include assessing and mitigating information system<br />
vulnerabilities, fundamental concepts of security models and security<br />
architectures in critical areas like access control. Cloud systems,<br />
cryptography, system infiltrations (ransomware, fault-injection and<br />
more) and virtualized systems are also covered in this domain.<br />
===Asset Security===<br />
The Asset Security domain deals with the issues related to the<br />
collection, storage, maintenance, retention and destruction of data. It<br />
also covers knowledge of different roles regarding data handling (owner,<br />
controller and custodian) as well as data protection methods and data<br />
states. Other topics include resource provision, asset classification<br />
and data lifecycle management.<br />
===Security and Risk Management===<br />
The security and risk management domain covers general on skills<br />
related to the implementation of user awareness programs as well as<br />
security procedures. Emphasis is also placed on risk management<br />
concerning the acquisition of new services, hardware and software<br />
(supply chain). Other skills include social engineering defense<br />
mechanisms.<br />
===Security Assessment and Testing===<br />
The security assessment and testing domain deals with all the<br />
techniques and tools used to find system vulnerabilities, weaknesses and<br />
potential areas of concern not addressed by security procedures and<br />
policies. Attack simulations, vulnerability assessment, compliance<br />
checks, and ethical disclosure also fall under this domain.<br />
===Software Security===<br />
The software development security domain deals with implementing<br />
software-based security protocols within environment for which the IT<br />
professional is responsible. Risk analysis, vulnerability identification<br />
and auditing of source codes are all covered in this subset. Additional<br />
topics include software-designed security, maturity models, development<br />
methodologies, open-source and third-party development security.<br />
===Security operations===<br />
The security operations domain covers topics ranging from<br />
investigations and digital forensic to detection and intrusion<br />
prevention tools, sandboxing and firewalls. Topics include user and<br />
entity behavior analytics, threat intelligence (threat hunting and<br />
threat feeds) log management, artifacts (mobile, computer and network),<br />
machine learning and AI-based tools, penetration testing, and<br />
exploitation development. These for sub-domains are lister here.</p><br />
<li>Forensics</li><br />
<li>Incident Handling</li><br />
<li>Penetration Testing</li><br />
<li>Exploitation</li><br />
<br />
==Education==<br />
[[File:Analystimage7.png|400px|thumb|Comparison degree vs Certificate <ref>"Comparison Table". Available at https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</ref>]]<br />
The entry level monitoring specialist is hired by Estonian<br />
Information System Authority even if there is no formal IT education,<br />
but readiness to learn and moderate knowledge of different operation<br />
systems is enough to start the career. <ref name="cv">cv.ee, "SEIRESPETSIALIST - tule Eesti küberruumi valvuriks!". Available: https://www.cv.ee/en/vacancy/792782/riigi-infosusteemi-amet/seirespetsialist-tule-eesti-kuberruumi-valvuriks [Accessed 28 April 2022].</ref><br />
Nevertheless, like most other high qualification careers jobs falling<br />
under the cybersecurity specialist category require some form of formal<br />
education. However, since cybersecurity specialist jobs can fall across<br />
a wide spectrum of job descriptions and responsibilities, it is possible<br />
to obtain a specialist job after completing many levels of different<br />
computer related education.<br />
<br />
If one is looking for a cybersecurity related education, for example<br />
in EU, 137 courses/programs could be found that relate to keyword IT or<br />
cybersecurity. <ref name="enisa">ENISA (European Union Agency for Cybersecurity), "Cybersecurity Education-Cybersecurity Higher Education Database". Available: https://www.enisa.europa.eu/topics/cybersecurity-education/education-map/education-courses [Accessed 26 April 2022].</ref><br />
<br />
Also, there is a great amount of discussion, if cyber security<br />
professional should have a degree or would be certification just enough.<br />
One interesting table is produces by Franklin University that compares<br />
benefits and/or drawbacks of each type of credential.<ref name="franklin">Franklin University, "Is Getting a Master's Degree in Cyber Security Worth It?". Available: https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it [Accessed 28 April 2022].</ref><br />
<br />
Certifications are generally good for people with little practical<br />
experience because they are known quantities in the industry and can<br />
help you get your foot in the door. They set a minimum knowledge bar.<br />
But some certifications are viewed more favorably than others.<br />
Certifications with renewal requirements are viewed better by hiring<br />
managers, but they also more costly in the long run because of the need<br />
for continuing education. Certifications are also good for showing<br />
in-depth expertise in a specialization within cybersecurity. Depending<br />
on your career goals, it may be advantageous to have a master’s<br />
degree—which shows your breadth of knowledge, critical thinking and<br />
leadership skills—and a certificate—which shows specific skill<br />
competency.<ref name="franklin"></ref><br />
As IT (Cyber) Security is still a relatively young discipline,<br />
universities and colleges are still figuring out which is the best<br />
approach for their degrees. Study programmes and curricula in Cyber<br />
Security are different. In general, here are the duration of Cyber<br />
Security degrees:<br />
<ref name="studyportal">Studyportals, "Why You Should Study a Cyber Security Degree in 2022". Available: https://www.mastersportal.com/articles/2722/why-you-should-study-a-cyber-security-degree-in-2022.html [Accessed 28 April 2022].</ref><br />
<ul><br />
<li><p>Bachelor’s degrees in Cyber Security take 3 or 4 years in most<br />
countries.</p></li><br />
<li><p>Master’s courses in Cyber Security take between 1-2 years to<br />
complete.</p></li><br />
<li><p>PhD programmes in Cyber Security last 3-5 years. Some only take 1<br />
or 2 years, but they are less common.</p><br />
</li><br />
</ul><br />
<br />
Generalization could me made that on bachelor level the general<br />
knowledge about the cyber issues are obtained. On master level the<br />
specialization courses are taken and the person can choose more specific<br />
topics to study. It is on master level where strengths of the cyber<br />
specialist can be developed further and up-do date knowledge obtained in<br />
specifics. PhD is serious science and involves teaching, lot of<br />
scientific work and writing for publications.<br />
<br />
==Salary==<br />
<p>Even if the salary can be very different, compared to the skills and<br />
experience, an generalization can be made. Cyber Security professionals<br />
in CSIRT, and in other entities earn quite well, from the start. First,<br />
some comparison from the United States. The average CSIRT analyst salary<br />
in the USA is $97,500 per year or $50 per hour. Entry level positions<br />
start at $48,875 per year while most experienced workers make up to<br />
$135,373 per year.<ref name="talent">talent.com, "Csirt Analyst average salary in USA 2022". Available: https://www.talent.com/salary?job=csirt+analyst [Accessed 28 April 2022].</ref><br />
<br />
There are multiple positions you can occupy in this field. They have<br />
in common great salaries and high demand for technical skills, attention<br />
to details, problem-solving mentality, and the ability to analyze risks.<br />
Here are the average annual salaries in the United States, according to<br />
Payscale: <ref name="studyportal"></ref><br />
<ul><br />
<li><p>Cryptographer – 100,000 USD</p></li><br />
<li><p>Information Security Officer – 91,000 USD</p></li><br />
<li><p>Security Assessor – 90,000 USD</p></li><br />
<li><p>Security Engineer – 88,000 USD</p></li><br />
<li><p>Penetration Tester – 81,000 USD</p></li><br />
<li><p>Forensics Expert – 71,000 USD</p></li><br />
<li><p>Security Administrator – 65,000 USD</p><br />
</ul><br />
When looking into salaries in Estonia, one can find that there is a<br />
discussion that private sector is taking a toll from the public sector,<br />
and that the salaries in important agencies, as Information System<br />
Authority loose their employees to the better paid positions in private<br />
sector.<ref name="digigeenius">DiGi Geenius, "Kui-palju-riigi-jaoks-olulised-it-tootajad-tegelikult-palka-saavad". Available: https://digi.geenius.ee/rubriik/uudis/kui-palju-riigi-jaoks-olulised-it-tootajad-tegelikult-palka-saavad/ [Accessed 28 April 2022].</ref><br />
<ref name="tehnika">Postimees, "Riigi-it-tootajate-palgamaarad-kasvasid". Available: https://tehnika.postimees.ee/6887428/riigi-it-tootajate-palgamaarad-kasvasid [Accessed 28 April 2022].</ref><br />
But there is also a different view that average private sector worker<br />
could be hired as a top specialist in public sector and then the payment<br />
is higher. Nevertheless, it seems that the average payment in cyber<br />
security sector is any way higher that in other parts of the<br />
e-services. <ref name="digigeenius2">DiGi Geenius, "5000-eurostest-palkadest-it-tootajad-saavadki-palju-palka". Available: https://digi.geenius.ee/rubriik/uudis/5000-eurostest-palkadest-it-tootajad-saavadki-palju-palka [Accessed 28 April 2022].</ref><br />
<br />
==SOC==<br />
<p>A SOC is a facility where an organization’s network, applications,<br />
and endpoints are monitored and defended. The term was adapted from<br />
network operations centers (NOCs), where large telecommunication or<br />
corporate networks are monitored. When network security became more of a<br />
concern, security teams were formed within the NOCs, and eventually spun<br />
off into larger organizations of their own as the responsibilities of<br />
security teams grew increasingly complex and specialized. The security<br />
staff working in a security operations center are often called the SOC<br />
team.<ref name="exabeam">Exabeam, "CSIRT". Available: https://www.exabeam.com/incident-response/csirt/ [Accessed 28 APr 2022].</ref><br />
<br />
<p>Functions of the SOC team include, but are not limited to:<ref name="trellix">Trellix, "What Is a Security Operations Center (SOC)?". Available: https://www.trellix.com/en-us/security-awareness/operations/what-is-soc.html [Accessed 30 APr 2022].</ref></p><br />
<ol type="1"><br />
<li>Taking inventory of resources, to get a better understanding of the<br />
structure they are protecting.</li><br />
<li>Maintanence of the system, by constantly making updates and adding<br />
safeguards.</li><br />
<li>Monitoring the network for abnormalities with special tools.</li><br />
<li>Threat analysis of new attacks and vulnerabilities.</li><br />
<li>Responding to attacks, by acting as “first responders”. The SOC team<br />
will shut down and/or isolate endpoints, deleting files and lowering the<br />
impact as fast as possible.</li><br />
<li>Recovery of system stability and lost data. This may be done using<br />
backups, restarting endpoints or reconfiguring systems.</li><br />
<li>Logging all actions on the system, to be later used for analysis or<br />
forensics after an attack.</li><br />
<li>Investigating the root cause of an attack.</li><br />
<li>Auditing their own actions, to be in line with regulations of the<br />
organization, industry or governing body.</li><br />
</ol><br />
<br />
==CSIRT==<br />
<p>A CSIRT is a group that responds to security incidents when they<br />
occur. Key responsibilities of a CSIRT include:<br />
<ref name="exabeam"></ref><br />
===Creating and maintaining an incident response plan (IRP)===<br />
An incident response plan (IRP) is a set of written instructions for<br />
detecting, responding to and limiting the effects of an information<br />
security event. Incident response plans provide instructions for<br />
responding to many potential scenarios, including data breaches, denial<br />
of service/distributed denial of service attacks, firewall breaches,<br />
virus or malware outbreaks or insider threats. Without an incident<br />
response plan in place, organizations may either not detect the attack<br />
in the first place, or not follow proper protocol to contain the threat<br />
and recover from it when a breach is detected.<br />
<br />
https://www.stratacore.com/incidentresponseplan<br />
===Investigating and analyzing incidents===<br />
CSIRTs are also involved in improvement activities. After major<br />
computer security incidents occur, or when incidents are not handled in<br />
a timely or effective manner, a CSIRT will generally perform a<br />
postmortem of the incident and its response. This postmortem will<br />
identify the strengths and weakness of the response effort. Such reviews<br />
can identify weaknesses and holes in systems, infrastructure defenses,<br />
or policies that allowed the incident to take place. It can also<br />
identify problems with communication channels, interfaces, and<br />
procedures that inhibited the efficient resolution of the reported<br />
problem.<br />
<p>https://www.cisa.gov/uscert/bsi/articles/best-practices/incident-management/defining-computer-security-incident-response-teams</p><br />
<br />
===Managing internal communications and updates during or immediately after incidents occur===<br />
===Communicating with employees, shareholders, customers, and the press about incidents as needed===<br />
<p>There are various services within the CSIRT Services Framework that<br />
address communications, as they relate to security operations and<br />
incident response services. Some of these include Information Security<br />
Incident Coordination, Crisis Management Support, Vulnerability<br />
Disclosure, Situational Awareness Communication, and Awareness Building,<br />
to name a few. Sharing information and communicating with the general<br />
public and/or your constituency is appropriate in many different<br />
scenarios. These can range from proactive communications to reactive<br />
communications. Each scenario may be unique, and careful consideration<br />
should be given to when to release information to the public and what<br />
information should be released.</p><br />
<br />
<p>https://resources.sei.cmu.edu/asset_files/Handbook/2021_002_001_651819.pdf</p><br />
<br />
===Remediating incidents===<br />
Threat remediation is a strong and capable tool for fighting the<br />
cyber security compromises. As the word ‘remedy’ suggests, remediation<br />
process involves the treatment of a security breach. With the<br />
remediation practices, your cyber security team is able to eliminate<br />
suspicious activities and malicious attacks in the form of malware,<br />
ransomware, phishing and such. Even if you ‘kill’ the suspicious<br />
activity, the attackers can remain in your systems. If you want to<br />
contaminate and end the problem for good, your remediation processes<br />
must involve the detection of the cause. <ref name="logsign">Logsign, "What-is-remediation-in-cyber-security". Available: https://www.logsign.com/blog/what-is-remediation-in-cyber-security/. [Accessed 28 Apr 2022].</ref><br />
<br />
===Recommending technology, policy, governance, and training changes after security incidents===<br />
After all these actions, the SCIRT must contribute to the development<br />
of better policies, practices and has to recommend improvements. They<br />
are not working in the vacuum and their work has to create new and<br />
better standards for cyber security. <ref name="exabeam">Exabeam, "CSIRT". Available: https://www.exabeam.com/incident-response/csirt/ [Accessed 28 APr 2022].</ref><br />
<br />
==CERT==<br />
<p>The term “computer emergency response team” was coined in 1988. In<br />
response to the Morris worm attack that impacted thousands of servers on<br />
the Internet, DARPA funded the formation of the Computer Emergency<br />
Response Team Coordination Center (CERT-CC) at Carnegie Mellon<br />
University. The goal of CERT-CC was to help protect the internet by<br />
collecting and disseminating information on critical security<br />
vulnerabilities. Several other countries formed similar centers using<br />
the same acronym (despite threats of legal action by Carnegie Mellon for<br />
trademark infringement). Now the term CERT refers to any emergency<br />
response team that deals with cyber threats. Many people use CERT-CC<br />
interchangeably with CSIRT, though the charter of a CERT is information<br />
sharing in order to help other response teams respond to threats against<br />
their own infrastructure.</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<p>In general, the designation of CERT is helpful in applying real-world<br />
solutions to various cybersecurity problems. They may be government<br />
contractors or employees of a major corporation. For example, the U.S.<br />
Computer Emergency Readiness Team (US-CERT) operates under the U.S.<br />
Department of Homeland Security.</p><br />
<p>https://www.techopedia.com/definition/31003/computer-emergency-response-team-cert</p><br />
<p>In Estonia CERT is designated as CERT-EE. It was established in 2006,<br />
as an organization responsible for the management of security incidents<br />
in .ee computer networks. It is also a national contact point for<br />
international co-operation in the field of IT security.</p><br />
<p>https://www.ria.ee/en/cyber-security/cert-ee.html</p><br />
==Difference between SOC/CSIRT/CERT==<br />
[[File:analystimage3.png|300px|thumb|SOC/CSIRT/CERT <ref name="exabeam></ref>]]<br />
How CSIRTs differ from CERTs and SOCs. There are overlapping<br />
responsibilities between a community emergency response team (CERT),<br />
computer security incident response team (CSIRT), and security<br />
operations center (SOC). To add to this confusion, frequently, the terms<br />
CERT and CSIRT are used interchangeably, despite the important<br />
differences. <ref name="exabeam"></ref><br />
<br />
==Understand the primary roles and characteristics of a CERT, CSIRT, and SOC.==<br />
[[File:analystimage4.png|600px|thumb|Primary Roles of CERT, CSIRT, and SOC<ref name="exabeam></ref>]]<br />
<p>So, using strict definitions, a CERT collects and disseminates<br />
security information, typically for the benefit of a country or an<br />
industry. A CSIRT is a cross-functional team that responds to incidents<br />
on behalf of a country or an organization. A SOC is where a country or<br />
organization monitors and defends its network, servers, applications,<br />
and endpoints. <ref name="exabeam"></ref><br />
<br />
==Future==<br />
<p>And the Cyber security problem is only getting bigger. According to a<br />
report published by Accenture, the number of cyber security breaches<br />
increased by 11 percent from 2017 to 2018. The cost of such breaches is<br />
astronomical–about $600 billion worldwide, according to the Economic<br />
Impact of Cybercrime report.</p><br />
<p>https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me</p><br />
<p>Job projections for cybersecurity are staggering. The Bureau of Labor<br />
Statistics in US predicts that careers in the cybersecurity field will<br />
grow by 32% by 2028. That makes cybersecurity one of the top 10<br />
fastest-growing jobs in the country. In the United States alone, jobs<br />
for Information Security Analysts are expected to grow by 15% by<br />
2024.</p><br />
<p>https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</p><br />
<p>Most likely this trend is also similar in other countries.</p><br />
<p>When checking Estonian job portals, there is a constant need for<br />
people for cyber security related positions. Also, linkedin search gives<br />
approximately 30 vacancies immediately. There are banks, logistics<br />
companies, e-shops, and software producers.</p><br />
<p>https://ee.linkedin.com/jobs/cyber-security-jobs?countryRedirected=1&amp;position=1&amp;pageNum=0</p><br />
<p>Trends that affect companies create need for constant cyber security<br />
services. Increasing number of home/remote offices require secure<br />
corporate networks and security of remote devices. One example is from<br />
this year, when sloppy remote desktop set-up paralyzed systems of 17<br />
companies.</p><br />
<p>https://www.aripaev.ee/uudised/2022/04/20/ria-lohakas-kaugtoolaua-seadistus-halvas-martsis-vahemalt-17-juhul-ettevotete-it-susteemid</p><br />
<p>Also, no service can exists without robust infrastructure - servers,<br />
databases, applications. As all previously mentioned devices and<br />
services are at constant scanning and surveillance. So, the breach<br />
detection and immediate action demands 24/7 services. Even if lot of<br />
things could be automated, there is a need for human specialists (at<br />
least, at the moment). Third growing field is also a forensic<br />
investigation, as every attack must be investigated in order to be ready<br />
to repel next attacks. So data recovery and evidence collection is<br />
another important field of work that need skilled and professional<br />
workers.</p><br />
<p>Even, if the specifics of the entity, be it CSIRT, CERT or SOC, are<br />
different, the fundamentals of the work are the same. Professional<br />
knowledge of the networks, operational systems, hardware, scripting, and<br />
several other wider IT related knowledge is needed. As there is no<br />
single way to reach to it, every single person can find one’s strongest<br />
sides and develop them with knowledge of weaker side, in order to know,<br />
when to as for help.</p><br />
<br />
</body><br />
</html></div>Mavaldhttps://wiki.itcollege.ee/index.php?title=Hiring_a_Cyber_Security_Incident_Analyst&diff=142254Hiring a Cyber Security Incident Analyst2022-05-01T16:00:57Z<p>Mavald: /* Difference between SOC/CSIRT/CERT */</p>
<hr />
<div>==A Cyber Security Incident Analyst==<br />
<br />
[[File:image1.png|600px|thumb|Job advertisement <ref>"Job Advertisement". Available at https://www.projectpeople.com/jobs/</ref>]]<br />
===Cyber security incident analyst in SOC/CSIRT/CERT===<br />
This article delves into the job title of Cyber Security Incident<br />
Analyst and provides an overview of the acronyms SOC/CSIRT/CERT. A brief<br />
history of the job is discussed here, as well as a possible career path,<br />
education, experience, and other characteristics required for work in<br />
computer security-related organizations. The article also provides a<br />
brief history of SOC/CSIRT/CERT, as well as a comparison of their<br />
differences and similarities.<br />
===Cyber Security Incident Analyst Skill Set===<br />
What skill set is expected from the Cyber Security Incident Analyst? Below written lines are taken from the same job advertisement depicted<br />
on the left side of this article:<br />
As a Security Incident Analyst your responsibilities will include:<br />
<ul><br />
<li>Continuous monitoring of security tooling</li><br />
<li>Performing regular and ad-hoc vulnerability assessments</li><br />
<li>Carrying out ‘spot checks’</li><br />
<li>Reporting vulnerabilities to the PVG via the alerts system</li><br />
<li>Maintaining and documenting logging systems</li><br />
<li>Developing centralized logging, reporting and intelligence<br />
platforms</li><br />
<li>‘Light touch’ penetration testing with open source tooling<br />
(Metasploit)</li><br />
</ul><br />
Knowledge &amp; Experience required:<br />
<ul><br />
<li>SOC, CSIRT or CERT operational environment experience</li><br />
<li>Windows / Linux experience</li><br />
<li>TCP /IP networking protocol knowledge</li><br />
<li>Experience reviewing and analyzing Security Events from various<br />
monitoring and logging sources</li><br />
<li>Experience in website and web application security assessment or<br />
penetration testing</li><br />
<li>Experience of using Metasploit</li><br />
<li>Scripting knowledge using BASH, Python, Perl, Ruby</li><br />
<li>Skills in Host and Network Forensics</li><br />
</ul><br />
As one can see the description of the duties is wide and also the<br />
knowledge and experience that is required is noteworthy. So, where to<br />
start to find out the way to get this kind of knowledge and<br />
expertize.<br />
===Possible career path===<br />
Next part of the paper is aiming to depict a possible ways, how to<br />
develop oneself, and move along the career pathway in cybersecurity<br />
field. Topics of development, education, experience and certification<br />
are covered.<br />
[[File:analystimage2.png|1000px|thumb|Career path <ref>"Possible Career Path". Available at https://www.cyberseek.org/pathway.html</ref>]]<br />
<br />
===Junior/Senior===<br />
Start with an entry-level job in IT. Hands-on experience is often the<br />
most effective way to prepare for certification exams. Start<br />
accumulating work experience with an entry-level role as a cybersecurity<br />
analyst. Many cybersecurity professionals start off in more general IT<br />
roles. The skills, practices, and technologies you’ll use as a<br />
cybersecurity professional will continue to evolve along with computer<br />
and network technology. The desire to learn, ability to problem solve,<br />
and attention to detail will serve you well in this field. Other, more<br />
technical skills and technologies to learn include:<ref name="certification">Popular Cyber Security Certificates [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications [Accessed 25 April 2022].</ref><br />
<br />
====SIEM tools (security information and event management)====<br />
Security Information and Event Management (SIEM) is a set of tools<br />
and services offering a holistic view of an organization’s information<br />
security. SIEM works by combining two technologies:<br />
<li>Security information management (SIM), which collects data from log<br />
files for analysis and reports on security threats and events, and</li><br />
<li>security event management (SEM), which conducts real-time system<br />
monitoring, notifies network admins about important issues and<br />
establishes correlations between security events. There are a number of<br />
security information and event management solutions on the market.<br />
ArcSight ESM, IBM QRadar and Splunk are among the most popular. <ref name="SIEM">Application security, SIEM [Online]. Available: https://www.imperva.com/learn/application-security/siem/. [Accessed 27 4 2022].</ref></li><br />
<br />
====Firewalls, Intrusion Detection Systems (IDS), and Intrusion Prevention Systems(IPS)====<br />
Firewalls can be two types, hardware and software firewalls. Software<br />
firewall is a firewall that is installed on a computer or server, and<br />
tasked with network security. It works with a wide variety of other<br />
technology security solutions to provide more robust and cohesive<br />
security for enterprises of all sizes. When a software firewall is<br />
installed on a server, it opens up like an umbrella of protection over<br />
all other computers connected to the network. It is able to monitor both<br />
incoming and outgoing traffic for potential risk or suspicious user<br />
behavior, and also makes setting security policies much easier, faster<br />
and more flexible. Hardware firewall is positioned between the network<br />
and devices, allowing traffic to funnel through the firewall for a close<br />
inspection and analysis. A hardware firewall, a term often<br />
interchangeable with network or next-generation firewall, protects the<br />
network gateways for an enterprise. Hardware firewall is physical<br />
hardware, installed between network elements and connected devices, and<br />
is tasked with filtering traffic for cyber threat to the network or<br />
devices. Filtering out unauthorized or suspicious users based on traffic<br />
analysis is one of the biggest benefits of hardware firewall. <ref name="sangfor">Sangfor, "What is Software Firewall? Difference between Hardware Firewall and Software Firewall, [Online]. Available: https://www.sangfor.com/blog/cybersecurity/what-is-software-firewall-difference-between-hardware-firewall-and-software-firewall [Accessed 26 4 2022].</ref><br />
<br />
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems<br />
(IPS) are both parts of the network infrastructure. IDS/IPS compare<br />
network packets to a cyberthreat database containing known signatures of<br />
cyberattacks — and flag any matching packets. IDS doesn’t alter the<br />
network packets in any way, whereas IPS prevents the packet from<br />
delivery based on the contents of the packet, much like how a firewall<br />
prevents traffic by IP address. <ref name="Varonis">Varonis, "What is Software Firewall? IDS vs. IPS: What is the Difference?, [Online]. Available: https://www.varonis.com/blog/ids-vs-ips [Accessed 26 4 2022].</ref><br />
<br />
====Digital forensics====<br />
Digital forensics is a branch of forensic science that focuses on<br />
identifying, acquiring, processing, analyzing, and reporting on data<br />
stored electronically. Electronic evidence is a component of almost all<br />
criminal activities and digital forensics support is crucial for law<br />
enforcement investigations. Electronic evidence can be collected from a<br />
wide array of sources, such as computers, smartphones, remote storage,<br />
unmanned aerial systems, shipborne equipment, and more.<ref name="interpol">Interpol, "Digital forensics". Available: https://www.interpol.int/How-we-work/Innovation/Digital-forensics. [Accessed 28 4 2022].</ref> <br />
Investigative process of digital forensics can be divided into several stages. There are four major stages: preservation, collection,<br />
examination, and analysis. All these four stages need a deep understanding of computers, technology across a broad spectrum, and cybersecurity principles and<br />
practices, a working knowledge of computers, networks, and coding, in-depth investigative abilities, critical-thinking skills and analytical talent the ability to effectively communicate and work with a<br />
wide range of people. <ref name="ecpi">"Digital forensics". Available: https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me. [Accessed 26 4 2022].</ref><br />
<br />
====Mobile device management====<br />
Mobile device management (MDM) is software that allows IT<br />
administrators to control, secure and enforce policies on smartphones,<br />
tablets and other endpoints. Mobile device management software emerged<br />
in the early 2000s as a way to control and secure the personal digital<br />
assistants and smartphones that business workers began to use. The<br />
consumer smartphone boom that started with the launch of the Apple<br />
iPhone in 2007 led to the bring your own device (BYOD) trend, which<br />
fueled further interest in MDM.<ref name="techtarget">Techtarget, "Mobile Device Management". Available: https://www.techtarget.com/searchmobilecomputing/definition/mobile-device-management [Accessed 27 4 2022].</ref><br />
<br />
====Data management====<br />
Sometimes the data management is neglected, but this part has a<br />
crucial role when learning for good cyber security practices. Majority<br />
of cyber security programs include a special courses on data management.<br />
Data management is a method of organizing and maintaining data processes<br />
that are required in almost every business operations. The benefits of<br />
data management can be found accounting, statistics, logistics planning<br />
and other disciplines including corporate computing.<ref name="GlobalUni">Global Universities, "MSc Data Management and Cyber Security". Available: https://globaluniversities.in/msc-data-management-cyber-security. [Accessed 26 Apr 2022].</ref><br />
Data governance (and management) play a fundamental role in<br />
protecting an organization’s data. Ensuring that the right people have<br />
the right access and that appropriate security controls are in place to<br />
protect each system or service, based on the criticality or sensitivity<br />
of the data sets these contain. <ref name="CyberMagazine">Cyber Security Magazine, "The Role of Data Governance in Cybersecurity". Available: https://cybersecurity-magazine.com/the-role-of-data-governance-in-cybersecurity/?utm_source=rss&amp;utm_medium=rss&amp;utm_campaign=the-role-of-data-governance-in-cybersecurity. [Accessed 26 Apr 2022].</ref><br />
<br />
====Application security development====<br />
Application security describes security measures at the application<br />
level that aim to prevent data or code within the app from being stolen<br />
or hijacked. It encompasses the security considerations that happen<br />
during application development and design, but it also involves systems<br />
and approaches to protect apps after they get deployed. Application<br />
security may include hardware, software, and procedures that identify or<br />
minimize security vulnerabilities.<ref name="vmware">VmWare, "What is application security?". Available: https://www.vmware.com/topics/glossary/content/application-security.html [Accessed 28 April 2022].</ref><br />
Application security development is important to ensure that your<br />
application is free from coding errors and bugs. And controls the risk<br />
and helps safeguard against security vulnerabilities. Application<br />
security development is the process of making applications more secure<br />
by finding and fixing security vulnerabilities. This is often done by<br />
enforcing software security best practices and using application<br />
security testing tools. <br />
<ref name="perforce">Perforce, "Application Security Development Best Practices". Available: https://www.perforce.com/blog/kw/application-security-development-best-practices. [Accessed 28 April 2022].</ref><br />
<br />
====Audit and compliance knowledge====<br />
A cyber security audit is designed to be a comprehensive review and<br />
analysis of your business’s IT infrastructure. It identifies threats and<br />
vulnerabilities, exposing weaknesses and high-risk practices.<br />
Regulations such as the EU GDPR (General Data Protection Regulation) can<br />
impose hefty penalties in the event of a breach that results in<br />
exploited data. A cyber security audit will help mitigate the<br />
consequences of a breach and demonstrate that your organization has<br />
taken the necessary steps to protect client and company data. <ref name="cyforsecure">Cyfor Secure, "What is a Cyber Security Audit and how can it help your organisation?". Available: https://cyforsecure.co.uk/services/cyber-assessment/cyber-security-audit/. [Accessed 28 April 2022].</ref><br />
<br />
Cybersecurity compliance is the organizational risk management method<br />
aligned with pre-defined security measures &amp; controls on how data<br />
confidentiality is ensured by its administrative procedures.<ref name="nordlayer">NordLayer, "Cybersecurity compliance: Everything you need to know". Available: https://nordlayer.com/blog/cybersecurity-compliance-everything-you-need-to-know/. [Accessed 28 April 2022].</ref><br />
All needed skills are developed through courses and certification.<br />
<br />
===Entry-Level Incident Response Positions===<br />
It is not always possible to advance to the position of incident<br />
responder in a straight line. Many professionals advance from entry- to<br />
mid-level positions before becoming a real incident responder or a<br />
member of a computer emergency response team (CERT).<br /><br />
These are some examples: <ref name="Infosec">Infosec, "Incident Responder Career Roadmap: From Entry Level to Executive". Available: https://resources.infosecinstitute.com/topic/incident-responder-career-roadmap-entry-level-executive/ [Accessed 28 April 2022].</ref></p><br />
<ul><br />
<li><h5 id="network-administrator">Network administrator</h5><br />
<p>This position’s experience will help potential incident responders<br />
develop networking skills. Attention to detail, as well as the ability<br />
to sift through system configurations, site layouts, and general network<br />
and communication setups, are essential in this field.</p></li><br />
<li><h5 id="system-administrator">System administrator</h5><br />
<p>Another crucial beginning point for an incident responder is to learn<br />
how to manage resources inside your organization as well as user<br />
behavior. Understanding the potential damage that users, inadequate<br />
security setups, and ineffective IT policies and procedures can cause on<br />
your network can provide prospective candidates with insight into the<br />
human component of an incident.</p></li><br />
<li><h5 id="security-administrator">Security administrator</h5><br />
<p>In such a position, basic hacking skills, penetration testing, and<br />
intrusion detection are all learned, which are crucial incident<br />
responder skills when trying to replicate a breach or attack.<br />
Understanding the paths a cybercriminal will take when attempting to<br />
damage or obtain access to a system can greatly simplify the work of<br />
reverse engineering the incident.</p></li><br />
</ul><br />
<br />
=== Mid-Level Incident Response Positions ===<br />
<ul><br />
<li><h5<br />
id="computer-security-incident-response-team-csirt-engineer">Computer<br />
security incident response team (CSIRT) engineer</h5></li><br />
<li><h5 id="cyber-incident-responder">Cyber incident responder</h5></li><br />
<li><h5 id="incident-response-engineer">Incident response<br />
engineer</h5></li><br />
</ul><br />
<p>While each of these positions is different, they generally require<br />
very similar skills and characteristics in a candidate. At this level,<br />
personal characteristics such as problem solving, time management, and<br />
even presentation skills become more crucial as one’s career evolves<br />
into a management-facing role.</p><br />
<p>Technical skills include the ability to identify and minimize threats<br />
while maintaining communication with management and the rest of your<br />
team. Data analysis and evidence gathering become increasingly crucial,<br />
and the circumstances in which your services are deployed get more<br />
serious.</p><br />
Problem-solving skills are crucial at this level of incident<br />
response, and as the stakes rise, so does the pressure in each<br />
situation. At this level, programming abilities are essential since<br />
incident responders may be needed to reverse engineer malicious code or<br />
even create patches for vulnerable network applications or services. <ref name="coursera">Coursera, "10 Popular Cybersecurity Certifications [2022 Updated]". Available: https://www.coursera.org/articles/popular-cybersecurity-certifications [Accessed 28 April 2022].</ref><br />
<br />
===Senior-Level Incident Response Positions===<br />
<ul><br />
<li><h5 id="intrusion-detection-specialist">Intrusion detection<br />
specialist:</h5></li><br />
</ul><br />
<p>A CISSP certification might help a potential candidate in preparing<br />
for the profession. The role of an intrusion detection specialist is to<br />
find and stop any unwanted communications.</p><br />
<ul><br />
<li><h5 id="incident-manager">Incident manager:</h5></li><br />
</ul><br />
Expected to plan, oversee, manage, and supervise all incident<br />
response team actions. Is in charge of reporting all current events to<br />
senior management and stakeholders, as well as acting as the technical<br />
lead on active incidents for incident responders. Prepares threat and<br />
impact assessments and reports them known to management.<ref name="coursera"></ref><br />
<br />
==Certificates== <br />
There is a vast number of different certificates and the road map to<br />
being a certified professional could be very different<ref name="Coursera">Coursera, "10 Popular Cybersecurity Certifications [2022 Updated]," [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications. [Accessed 30 Apr 2022].</ref><br />
<ref name="NICCS">NICCS, "Cybersecurity Certifications," [Online]. Available: hhttps://niccs.cisa.gov/about-niccs/cybersecurity-certifications. [Accessed 30 Apr 2022].</ref> . One possible<br />
approach is to start with basic certificates from the different branches<br />
of service and move to more specific and demanding focused<br />
certification. Also, some jobs require certain clearances, either from<br />
industry, or from the government. One small selection of different<br />
possible certificates is brought out in following paragraphs.<br />
<br />
Security+ is a CompTIA certification that is considered a basic cert<br />
among cybersecurity professionals. It covers the topics of risk<br />
management and threat assessment.<br />
Network+ is also offered by CompTIA this certification (like the name<br />
implies) focuses on networking infrastructure and operations. It is<br />
considered a foundational certification.<br />
The Certified Information Systems Security Professional (CISSP) is a<br />
more advanced certification designed for cybersecurity professionals<br />
with at least five years of work experience. The certification covers<br />
topics such as architecture, engineering, and management.</p><br />
The Certified Ethical Hacker (CEH) certification is also considered a<br />
more advanced cert because it generally requires that applicants have<br />
multiple years of work experience. The goal of an ethical hacker<br />
certification is to be able to understand how cyber attacks unfold in<br />
order to improve threat assessment and mitigation skills.<ref name="cyberguide">Cybersecurity Guide, "How to become a cybersecurity specialist", [Online]. Available: https://cybersecurityguide.org/careers/security-specialist/. [Accessed 27 April 2022].</ref><br />
This is definitely not all, when one looks for more information, following link could be searched, to get more in depth knowledge about<br />
different possibilities.<br />
<br />
Hereby, with the help of this matrix a possible taxonomy of different 436 listed certificates in branches are<br />
presented.<ref name="Pauljeremy">"Cybersecurity Roadmap," [Online]. Available: https://pauljerimy.com/2020/10/12/scr-oct-2020-update/. [Accessed 30 Apr 2022].</ref><br />
<br />
[[File:analystimage5.png|1000px|thumb|Certificate matrix <ref>"Certification roadmap". Available at https://pauljerimy.com/security-certification-roadmap</ref>]]<br />
<br />
=== Communication and Network Security===<br />
Communication and network security covers the ability to secure<br />
communication channels and networks. Topics include secure and converges<br />
protocols, wireless networks, cellular networks, hardware operations<br />
(warranty and redundant power), and third-party connectivity. IP<br />
networking are also included in this domain.<br />
===Identity and Access Management===<br />
The identity and access management domain covers the attacks that<br />
target the human gateway to gain access to data. Other topics include<br />
ways to identify users with rights to access the information and<br />
servers. Identity and access management covers the topics of<br />
applications, Single sign-on authentication, privilege escalation,<br />
Kerberos, rule-based or risk-based access control, proofing and<br />
establishment of identity.<br />
===Security Architecture and Engineering===<br />
The security architecture and engineering domain covers important<br />
topics concerning security engineering plans, designs and principles,<br />
Topics include assessing and mitigating information system<br />
vulnerabilities, fundamental concepts of security models and security<br />
architectures in critical areas like access control. Cloud systems,<br />
cryptography, system infiltrations (ransomware, fault-injection and<br />
more) and virtualized systems are also covered in this domain.<br />
===Asset Security===<br />
The Asset Security domain deals with the issues related to the<br />
collection, storage, maintenance, retention and destruction of data. It<br />
also covers knowledge of different roles regarding data handling (owner,<br />
controller and custodian) as well as data protection methods and data<br />
states. Other topics include resource provision, asset classification<br />
and data lifecycle management.<br />
===Security and Risk Management===<br />
The security and risk management domain covers general on skills<br />
related to the implementation of user awareness programs as well as<br />
security procedures. Emphasis is also placed on risk management<br />
concerning the acquisition of new services, hardware and software<br />
(supply chain). Other skills include social engineering defense<br />
mechanisms.<br />
===Security Assessment and Testing===<br />
The security assessment and testing domain deals with all the<br />
techniques and tools used to find system vulnerabilities, weaknesses and<br />
potential areas of concern not addressed by security procedures and<br />
policies. Attack simulations, vulnerability assessment, compliance<br />
checks, and ethical disclosure also fall under this domain.<br />
===Software Security===<br />
The software development security domain deals with implementing<br />
software-based security protocols within environment for which the IT<br />
professional is responsible. Risk analysis, vulnerability identification<br />
and auditing of source codes are all covered in this subset. Additional<br />
topics include software-designed security, maturity models, development<br />
methodologies, open-source and third-party development security.<br />
===Security operations===<br />
The security operations domain covers topics ranging from<br />
investigations and digital forensic to detection and intrusion<br />
prevention tools, sandboxing and firewalls. Topics include user and<br />
entity behavior analytics, threat intelligence (threat hunting and<br />
threat feeds) log management, artifacts (mobile, computer and network),<br />
machine learning and AI-based tools, penetration testing, and<br />
exploitation development. These for sub-domains are lister here.</p><br />
<li>Forensics</li><br />
<li>Incident Handling</li><br />
<li>Penetration Testing</li><br />
<li>Exploitation</li><br />
<br />
==Education==<br />
[[File:Analystimage7.png|400px|thumb|Comparison degree vs Certificate <ref>"Comparison Table". Available at https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</ref>]]<br />
The entry level monitoring specialist is hired by Estonian<br />
Information System Authority even if there is no formal IT education,<br />
but readiness to learn and moderate knowledge of different operation<br />
systems is enough to start the career. <ref name="cv">cv.ee, "SEIRESPETSIALIST - tule Eesti küberruumi valvuriks!". Available: https://www.cv.ee/en/vacancy/792782/riigi-infosusteemi-amet/seirespetsialist-tule-eesti-kuberruumi-valvuriks [Accessed 28 April 2022].</ref><br />
Nevertheless, like most other high qualification careers jobs falling<br />
under the cybersecurity specialist category require some form of formal<br />
education. However, since cybersecurity specialist jobs can fall across<br />
a wide spectrum of job descriptions and responsibilities, it is possible<br />
to obtain a specialist job after completing many levels of different<br />
computer related education.<br />
<br />
If one is looking for a cybersecurity related education, for example<br />
in EU, 137 courses/programs could be found that relate to keyword IT or<br />
cybersecurity. <ref name="enisa">ENISA (European Union Agency for Cybersecurity), "Cybersecurity Education-Cybersecurity Higher Education Database". Available: https://www.enisa.europa.eu/topics/cybersecurity-education/education-map/education-courses [Accessed 26 April 2022].</ref><br />
<br />
Also, there is a great amount of discussion, if cyber security<br />
professional should have a degree or would be certification just enough.<br />
One interesting table is produces by Franklin University that compares<br />
benefits and/or drawbacks of each type of credential.<ref name="franklin">Franklin University, "Is Getting a Master's Degree in Cyber Security Worth It?". Available: https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it [Accessed 28 April 2022].</ref><br />
<br />
Certifications are generally good for people with little practical<br />
experience because they are known quantities in the industry and can<br />
help you get your foot in the door. They set a minimum knowledge bar.<br />
But some certifications are viewed more favorably than others.<br />
Certifications with renewal requirements are viewed better by hiring<br />
managers, but they also more costly in the long run because of the need<br />
for continuing education. Certifications are also good for showing<br />
in-depth expertise in a specialization within cybersecurity. Depending<br />
on your career goals, it may be advantageous to have a master’s<br />
degree—which shows your breadth of knowledge, critical thinking and<br />
leadership skills—and a certificate—which shows specific skill<br />
competency.<ref name="franklin"></ref><br />
As IT (Cyber) Security is still a relatively young discipline,<br />
universities and colleges are still figuring out which is the best<br />
approach for their degrees. Study programmes and curricula in Cyber<br />
Security are different. In general, here are the duration of Cyber<br />
Security degrees:<br />
<ref name="studyportal">Studyportals, "Why You Should Study a Cyber Security Degree in 2022". Available: https://www.mastersportal.com/articles/2722/why-you-should-study-a-cyber-security-degree-in-2022.html [Accessed 28 April 2022].</ref><br />
<ul><br />
<li><p>Bachelor’s degrees in Cyber Security take 3 or 4 years in most<br />
countries.</p></li><br />
<li><p>Master’s courses in Cyber Security take between 1-2 years to<br />
complete.</p></li><br />
<li><p>PhD programmes in Cyber Security last 3-5 years. Some only take 1<br />
or 2 years, but they are less common.</p><br />
</li><br />
</ul><br />
<br />
Generalization could me made that on bachelor level the general<br />
knowledge about the cyber issues are obtained. On master level the<br />
specialization courses are taken and the person can choose more specific<br />
topics to study. It is on master level where strengths of the cyber<br />
specialist can be developed further and up-do date knowledge obtained in<br />
specifics. PhD is serious science and involves teaching, lot of<br />
scientific work and writing for publications.<br />
<br />
==Salary==<br />
<p>Even if the salary can be very different, compared to the skills and<br />
experience, an generalization can be made. Cyber Security professionals<br />
in CSIRT, and in other entities earn quite well, from the start. First,<br />
some comparison from the United States. The average CSIRT analyst salary<br />
in the USA is $97,500 per year or $50 per hour. Entry level positions<br />
start at $48,875 per year while most experienced workers make up to<br />
$135,373 per year.<ref name="talent">talent.com, "Csirt Analyst average salary in USA 2022". Available: https://www.talent.com/salary?job=csirt+analyst [Accessed 28 April 2022].</ref><br />
<br />
There are multiple positions you can occupy in this field. They have<br />
in common great salaries and high demand for technical skills, attention<br />
to details, problem-solving mentality, and the ability to analyze risks.<br />
Here are the average annual salaries in the United States, according to<br />
Payscale: <ref name="studyportal"></ref><br />
<ul><br />
<li><p>Cryptographer – 100,000 USD</p></li><br />
<li><p>Information Security Officer – 91,000 USD</p></li><br />
<li><p>Security Assessor – 90,000 USD</p></li><br />
<li><p>Security Engineer – 88,000 USD</p></li><br />
<li><p>Penetration Tester – 81,000 USD</p></li><br />
<li><p>Forensics Expert – 71,000 USD</p></li><br />
<li><p>Security Administrator – 65,000 USD</p><br />
</ul><br />
When looking into salaries in Estonia, one can find that there is a<br />
discussion that private sector is taking a toll from the public sector,<br />
and that the salaries in important agencies, as Information System<br />
Authority loose their employees to the better paid positions in private<br />
sector.<ref name="digigeenius">DiGi Geenius, "Kui-palju-riigi-jaoks-olulised-it-tootajad-tegelikult-palka-saavad". Available: https://digi.geenius.ee/rubriik/uudis/kui-palju-riigi-jaoks-olulised-it-tootajad-tegelikult-palka-saavad/ [Accessed 28 April 2022].</ref><br />
<ref name="tehnika">Postimees, "Riigi-it-tootajate-palgamaarad-kasvasid". Available: https://tehnika.postimees.ee/6887428/riigi-it-tootajate-palgamaarad-kasvasid [Accessed 28 April 2022].</ref><br />
But there is also a different view that average private sector worker<br />
could be hired as a top specialist in public sector and then the payment<br />
is higher. Nevertheless, it seems that the average payment in cyber<br />
security sector is any way higher that in other parts of the<br />
e-services. <ref name="digigeenius2">DiGi Geenius, "5000-eurostest-palkadest-it-tootajad-saavadki-palju-palka". Available: https://digi.geenius.ee/rubriik/uudis/5000-eurostest-palkadest-it-tootajad-saavadki-palju-palka [Accessed 28 April 2022].</ref><br />
<br />
==SOC==<br />
<p>A SOC is a facility where an organization’s network, applications,<br />
and endpoints are monitored and defended. The term was adapted from<br />
network operations centers (NOCs), where large telecommunication or<br />
corporate networks are monitored. When network security became more of a<br />
concern, security teams were formed within the NOCs, and eventually spun<br />
off into larger organizations of their own as the responsibilities of<br />
security teams grew increasingly complex and specialized. The security<br />
staff working in a security operations center are often called the SOC<br />
team.<ref name="exabeam">Exabeam, "CSIRT". Available: https://www.exabeam.com/incident-response/csirt/ [Accessed 28 APr 2022].</ref><br />
<br />
<p>Functions of the SOC team include, but are not limited to:<ref name="trellix">Trellix, "What Is a Security Operations Center (SOC)?". Available: https://www.trellix.com/en-us/security-awareness/operations/what-is-soc.html [Accessed 30 APr 2022].</ref></p><br />
<ol type="1"><br />
<li>Taking inventory of resources, to get a better understanding of the<br />
structure they are protecting.</li><br />
<li>Maintanence of the system, by constantly making updates and adding<br />
safeguards.</li><br />
<li>Monitoring the network for abnormalities with special tools.</li><br />
<li>Threat analysis of new attacks and vulnerabilities.</li><br />
<li>Responding to attacks, by acting as “first responders”. The SOC team<br />
will shut down and/or isolate endpoints, deleting files and lowering the<br />
impact as fast as possible.</li><br />
<li>Recovery of system stability and lost data. This may be done using<br />
backups, restarting endpoints or reconfiguring systems.</li><br />
<li>Logging all actions on the system, to be later used for analysis or<br />
forensics after an attack.</li><br />
<li>Investigating the root cause of an attack.</li><br />
<li>Auditing their own actions, to be in line with regulations of the<br />
organization, industry or governing body.</li><br />
</ol><br />
<br />
==CSIRT==<br />
<p>A CSIRT is a group that responds to security incidents when they<br />
occur. Key responsibilities of a CSIRT include:<br />
<ref name="exabeam"></ref><br />
===Creating and maintaining an incident response plan (IRP)===<br />
An incident response plan (IRP) is a set of written instructions for<br />
detecting, responding to and limiting the effects of an information<br />
security event. Incident response plans provide instructions for<br />
responding to many potential scenarios, including data breaches, denial<br />
of service/distributed denial of service attacks, firewall breaches,<br />
virus or malware outbreaks or insider threats. Without an incident<br />
response plan in place, organizations may either not detect the attack<br />
in the first place, or not follow proper protocol to contain the threat<br />
and recover from it when a breach is detected.<br />
<br />
https://www.stratacore.com/incidentresponseplan<br />
===Investigating and analyzing incidents===<br />
CSIRTs are also involved in improvement activities. After major<br />
computer security incidents occur, or when incidents are not handled in<br />
a timely or effective manner, a CSIRT will generally perform a<br />
postmortem of the incident and its response. This postmortem will<br />
identify the strengths and weakness of the response effort. Such reviews<br />
can identify weaknesses and holes in systems, infrastructure defenses,<br />
or policies that allowed the incident to take place. It can also<br />
identify problems with communication channels, interfaces, and<br />
procedures that inhibited the efficient resolution of the reported<br />
problem.<br />
<p>https://www.cisa.gov/uscert/bsi/articles/best-practices/incident-management/defining-computer-security-incident-response-teams</p><br />
<br />
===Managing internal communications and updates during or immediately after incidents occur===<br />
===Communicating with employees, shareholders, customers, and the press about incidents as needed===<br />
<p>There are various services within the CSIRT Services Framework that<br />
address communications, as they relate to security operations and<br />
incident response services. Some of these include Information Security<br />
Incident Coordination, Crisis Management Support, Vulnerability<br />
Disclosure, Situational Awareness Communication, and Awareness Building,<br />
to name a few. Sharing information and communicating with the general<br />
public and/or your constituency is appropriate in many different<br />
scenarios. These can range from proactive communications to reactive<br />
communications. Each scenario may be unique, and careful consideration<br />
should be given to when to release information to the public and what<br />
information should be released.</p><br />
<br />
<p>https://resources.sei.cmu.edu/asset_files/Handbook/2021_002_001_651819.pdf</p><br />
<br />
===Remediating incidents===<br />
Threat remediation is a strong and capable tool for fighting the<br />
cyber security compromises. As the word ‘remedy’ suggests, remediation<br />
process involves the treatment of a security breach. With the<br />
remediation practices, your cyber security team is able to eliminate<br />
suspicious activities and malicious attacks in the form of malware,<br />
ransomware, phishing and such. Even if you ‘kill’ the suspicious<br />
activity, the attackers can remain in your systems. If you want to<br />
contaminate and end the problem for good, your remediation processes<br />
must involve the detection of the cause. <ref name="logsign">Logsign, "What-is-remediation-in-cyber-security". Available: https://www.logsign.com/blog/what-is-remediation-in-cyber-security/. [Accessed 28 Apr 2022].</ref><br />
<br />
===Recommending technology, policy, governance, and training changes after security incidents===<br />
After all these actions, the SCIRT must contribute to the development<br />
of better policies, practices and has to recommend improvements. They<br />
are not working in the vacuum and their work has to create new and<br />
better standards for cyber security. <ref name="exabeam">Exabeam, "CSIRT". Available: https://www.exabeam.com/incident-response/csirt/ [Accessed 28 APr 2022].</ref><br />
<br />
==CERT==<br />
<p>The term “computer emergency response team” was coined in 1988. In<br />
response to the Morris worm attack that impacted thousands of servers on<br />
the Internet, DARPA funded the formation of the Computer Emergency<br />
Response Team Coordination Center (CERT-CC) at Carnegie Mellon<br />
University. The goal of CERT-CC was to help protect the internet by<br />
collecting and disseminating information on critical security<br />
vulnerabilities. Several other countries formed similar centers using<br />
the same acronym (despite threats of legal action by Carnegie Mellon for<br />
trademark infringement). Now the term CERT refers to any emergency<br />
response team that deals with cyber threats. Many people use CERT-CC<br />
interchangeably with CSIRT, though the charter of a CERT is information<br />
sharing in order to help other response teams respond to threats against<br />
their own infrastructure.</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<p>In general, the designation of CERT is helpful in applying real-world<br />
solutions to various cybersecurity problems. They may be government<br />
contractors or employees of a major corporation. For example, the U.S.<br />
Computer Emergency Readiness Team (US-CERT) operates under the U.S.<br />
Department of Homeland Security.</p><br />
<p>https://www.techopedia.com/definition/31003/computer-emergency-response-team-cert</p><br />
<p>In Estonia CERT is designated as CERT-EE. It was established in 2006,<br />
as an organization responsible for the management of security incidents<br />
in .ee computer networks. It is also a national contact point for<br />
international co-operation in the field of IT security.</p><br />
<p>https://www.ria.ee/en/cyber-security/cert-ee.html</p><br />
==Difference between SOC/CSIRT/CERT==<br />
[[File:analystimage3.png|300px|thumb|SOC/CSIRT/CERT <ref name="exabeam></ref>]]<br />
How CSIRTs differ from CERTs and SOCs. There are overlapping<br />
responsibilities between a community emergency response team (CERT),<br />
computer security incident response team (CSIRT), and security<br />
operations center (SOC). To add to this confusion, frequently, the terms<br />
CERT and CSIRT are used interchangeably, despite the important<br />
differences. <ref name="exabeam"></ref><br />
<br />
==Understand the primary roles and characteristics of a CERT, CSIRT, and SOC.==<br />
[[File:analystimage4.png|600px|thumb|Primary Roles of CERT, CSIRT, and SOC<ref name="exabeam></ref>]]<br />
<p>So, using strict definitions, a CERT collects and disseminates<br />
security information, typically for the benefit of a country or an<br />
industry. A CSIRT is a cross-functional team that responds to incidents<br />
on behalf of a country or an organization. A SOC is where a country or<br />
organization monitors and defends its network, servers, applications,<br />
and endpoints.</p><br />
<br />
==Future==<br />
<p>And the Cyber security problem is only getting bigger. According to a<br />
report published by Accenture, the number of cyber security breaches<br />
increased by 11 percent from 2017 to 2018. The cost of such breaches is<br />
astronomical–about $600 billion worldwide, according to the Economic<br />
Impact of Cybercrime report.</p><br />
<p>https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me</p><br />
<p>Job projections for cybersecurity are staggering. The Bureau of Labor<br />
Statistics in US predicts that careers in the cybersecurity field will<br />
grow by 32% by 2028. That makes cybersecurity one of the top 10<br />
fastest-growing jobs in the country. In the United States alone, jobs<br />
for Information Security Analysts are expected to grow by 15% by<br />
2024.</p><br />
<p>https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</p><br />
<p>Most likely this trend is also similar in other countries.</p><br />
<p>When checking Estonian job portals, there is a constant need for<br />
people for cyber security related positions. Also, linkedin search gives<br />
approximately 30 vacancies immediately. There are banks, logistics<br />
companies, e-shops, and software producers.</p><br />
<p>https://ee.linkedin.com/jobs/cyber-security-jobs?countryRedirected=1&amp;position=1&amp;pageNum=0</p><br />
<p>Trends that affect companies create need for constant cyber security<br />
services. Increasing number of home/remote offices require secure<br />
corporate networks and security of remote devices. One example is from<br />
this year, when sloppy remote desktop set-up paralyzed systems of 17<br />
companies.</p><br />
<p>https://www.aripaev.ee/uudised/2022/04/20/ria-lohakas-kaugtoolaua-seadistus-halvas-martsis-vahemalt-17-juhul-ettevotete-it-susteemid</p><br />
<p>Also, no service can exists without robust infrastructure - servers,<br />
databases, applications. As all previously mentioned devices and<br />
services are at constant scanning and surveillance. So, the breach<br />
detection and immediate action demands 24/7 services. Even if lot of<br />
things could be automated, there is a need for human specialists (at<br />
least, at the moment). Third growing field is also a forensic<br />
investigation, as every attack must be investigated in order to be ready<br />
to repel next attacks. So data recovery and evidence collection is<br />
another important field of work that need skilled and professional<br />
workers.</p><br />
<p>Even, if the specifics of the entity, be it CSIRT, CERT or SOC, are<br />
different, the fundamentals of the work are the same. Professional<br />
knowledge of the networks, operational systems, hardware, scripting, and<br />
several other wider IT related knowledge is needed. As there is no<br />
single way to reach to it, every single person can find one’s strongest<br />
sides and develop them with knowledge of weaker side, in order to know,<br />
when to as for help.</p><br />
<br />
</body><br />
</html></div>Mavaldhttps://wiki.itcollege.ee/index.php?title=Hiring_a_Cyber_Security_Incident_Analyst&diff=142252Hiring a Cyber Security Incident Analyst2022-05-01T16:00:06Z<p>Mavald: /* Understand the primary roles and characteristics of a CERT, CSIRT, and SOC. */</p>
<hr />
<div>==A Cyber Security Incident Analyst==<br />
<br />
[[File:image1.png|600px|thumb|Job advertisement <ref>"Job Advertisement". Available at https://www.projectpeople.com/jobs/</ref>]]<br />
===Cyber security incident analyst in SOC/CSIRT/CERT===<br />
This article delves into the job title of Cyber Security Incident<br />
Analyst and provides an overview of the acronyms SOC/CSIRT/CERT. A brief<br />
history of the job is discussed here, as well as a possible career path,<br />
education, experience, and other characteristics required for work in<br />
computer security-related organizations. The article also provides a<br />
brief history of SOC/CSIRT/CERT, as well as a comparison of their<br />
differences and similarities.<br />
===Cyber Security Incident Analyst Skill Set===<br />
What skill set is expected from the Cyber Security Incident Analyst? Below written lines are taken from the same job advertisement depicted<br />
on the left side of this article:<br />
As a Security Incident Analyst your responsibilities will include:<br />
<ul><br />
<li>Continuous monitoring of security tooling</li><br />
<li>Performing regular and ad-hoc vulnerability assessments</li><br />
<li>Carrying out ‘spot checks’</li><br />
<li>Reporting vulnerabilities to the PVG via the alerts system</li><br />
<li>Maintaining and documenting logging systems</li><br />
<li>Developing centralized logging, reporting and intelligence<br />
platforms</li><br />
<li>‘Light touch’ penetration testing with open source tooling<br />
(Metasploit)</li><br />
</ul><br />
Knowledge &amp; Experience required:<br />
<ul><br />
<li>SOC, CSIRT or CERT operational environment experience</li><br />
<li>Windows / Linux experience</li><br />
<li>TCP /IP networking protocol knowledge</li><br />
<li>Experience reviewing and analyzing Security Events from various<br />
monitoring and logging sources</li><br />
<li>Experience in website and web application security assessment or<br />
penetration testing</li><br />
<li>Experience of using Metasploit</li><br />
<li>Scripting knowledge using BASH, Python, Perl, Ruby</li><br />
<li>Skills in Host and Network Forensics</li><br />
</ul><br />
As one can see the description of the duties is wide and also the<br />
knowledge and experience that is required is noteworthy. So, where to<br />
start to find out the way to get this kind of knowledge and<br />
expertize.<br />
===Possible career path===<br />
Next part of the paper is aiming to depict a possible ways, how to<br />
develop oneself, and move along the career pathway in cybersecurity<br />
field. Topics of development, education, experience and certification<br />
are covered.<br />
[[File:analystimage2.png|1000px|thumb|Career path <ref>"Possible Career Path". Available at https://www.cyberseek.org/pathway.html</ref>]]<br />
<br />
===Junior/Senior===<br />
Start with an entry-level job in IT. Hands-on experience is often the<br />
most effective way to prepare for certification exams. Start<br />
accumulating work experience with an entry-level role as a cybersecurity<br />
analyst. Many cybersecurity professionals start off in more general IT<br />
roles. The skills, practices, and technologies you’ll use as a<br />
cybersecurity professional will continue to evolve along with computer<br />
and network technology. The desire to learn, ability to problem solve,<br />
and attention to detail will serve you well in this field. Other, more<br />
technical skills and technologies to learn include:<ref name="certification">Popular Cyber Security Certificates [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications [Accessed 25 April 2022].</ref><br />
<br />
====SIEM tools (security information and event management)====<br />
Security Information and Event Management (SIEM) is a set of tools<br />
and services offering a holistic view of an organization’s information<br />
security. SIEM works by combining two technologies:<br />
<li>Security information management (SIM), which collects data from log<br />
files for analysis and reports on security threats and events, and</li><br />
<li>security event management (SEM), which conducts real-time system<br />
monitoring, notifies network admins about important issues and<br />
establishes correlations between security events. There are a number of<br />
security information and event management solutions on the market.<br />
ArcSight ESM, IBM QRadar and Splunk are among the most popular. <ref name="SIEM">Application security, SIEM [Online]. Available: https://www.imperva.com/learn/application-security/siem/. [Accessed 27 4 2022].</ref></li><br />
<br />
====Firewalls, Intrusion Detection Systems (IDS), and Intrusion Prevention Systems(IPS)====<br />
Firewalls can be two types, hardware and software firewalls. Software<br />
firewall is a firewall that is installed on a computer or server, and<br />
tasked with network security. It works with a wide variety of other<br />
technology security solutions to provide more robust and cohesive<br />
security for enterprises of all sizes. When a software firewall is<br />
installed on a server, it opens up like an umbrella of protection over<br />
all other computers connected to the network. It is able to monitor both<br />
incoming and outgoing traffic for potential risk or suspicious user<br />
behavior, and also makes setting security policies much easier, faster<br />
and more flexible. Hardware firewall is positioned between the network<br />
and devices, allowing traffic to funnel through the firewall for a close<br />
inspection and analysis. A hardware firewall, a term often<br />
interchangeable with network or next-generation firewall, protects the<br />
network gateways for an enterprise. Hardware firewall is physical<br />
hardware, installed between network elements and connected devices, and<br />
is tasked with filtering traffic for cyber threat to the network or<br />
devices. Filtering out unauthorized or suspicious users based on traffic<br />
analysis is one of the biggest benefits of hardware firewall. <ref name="sangfor">Sangfor, "What is Software Firewall? Difference between Hardware Firewall and Software Firewall, [Online]. Available: https://www.sangfor.com/blog/cybersecurity/what-is-software-firewall-difference-between-hardware-firewall-and-software-firewall [Accessed 26 4 2022].</ref><br />
<br />
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems<br />
(IPS) are both parts of the network infrastructure. IDS/IPS compare<br />
network packets to a cyberthreat database containing known signatures of<br />
cyberattacks — and flag any matching packets. IDS doesn’t alter the<br />
network packets in any way, whereas IPS prevents the packet from<br />
delivery based on the contents of the packet, much like how a firewall<br />
prevents traffic by IP address. <ref name="Varonis">Varonis, "What is Software Firewall? IDS vs. IPS: What is the Difference?, [Online]. Available: https://www.varonis.com/blog/ids-vs-ips [Accessed 26 4 2022].</ref><br />
<br />
====Digital forensics====<br />
Digital forensics is a branch of forensic science that focuses on<br />
identifying, acquiring, processing, analyzing, and reporting on data<br />
stored electronically. Electronic evidence is a component of almost all<br />
criminal activities and digital forensics support is crucial for law<br />
enforcement investigations. Electronic evidence can be collected from a<br />
wide array of sources, such as computers, smartphones, remote storage,<br />
unmanned aerial systems, shipborne equipment, and more.<ref name="interpol">Interpol, "Digital forensics". Available: https://www.interpol.int/How-we-work/Innovation/Digital-forensics. [Accessed 28 4 2022].</ref> <br />
Investigative process of digital forensics can be divided into several stages. There are four major stages: preservation, collection,<br />
examination, and analysis. All these four stages need a deep understanding of computers, technology across a broad spectrum, and cybersecurity principles and<br />
practices, a working knowledge of computers, networks, and coding, in-depth investigative abilities, critical-thinking skills and analytical talent the ability to effectively communicate and work with a<br />
wide range of people. <ref name="ecpi">"Digital forensics". Available: https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me. [Accessed 26 4 2022].</ref><br />
<br />
====Mobile device management====<br />
Mobile device management (MDM) is software that allows IT<br />
administrators to control, secure and enforce policies on smartphones,<br />
tablets and other endpoints. Mobile device management software emerged<br />
in the early 2000s as a way to control and secure the personal digital<br />
assistants and smartphones that business workers began to use. The<br />
consumer smartphone boom that started with the launch of the Apple<br />
iPhone in 2007 led to the bring your own device (BYOD) trend, which<br />
fueled further interest in MDM.<ref name="techtarget">Techtarget, "Mobile Device Management". Available: https://www.techtarget.com/searchmobilecomputing/definition/mobile-device-management [Accessed 27 4 2022].</ref><br />
<br />
====Data management====<br />
Sometimes the data management is neglected, but this part has a<br />
crucial role when learning for good cyber security practices. Majority<br />
of cyber security programs include a special courses on data management.<br />
Data management is a method of organizing and maintaining data processes<br />
that are required in almost every business operations. The benefits of<br />
data management can be found accounting, statistics, logistics planning<br />
and other disciplines including corporate computing.<ref name="GlobalUni">Global Universities, "MSc Data Management and Cyber Security". Available: https://globaluniversities.in/msc-data-management-cyber-security. [Accessed 26 Apr 2022].</ref><br />
Data governance (and management) play a fundamental role in<br />
protecting an organization’s data. Ensuring that the right people have<br />
the right access and that appropriate security controls are in place to<br />
protect each system or service, based on the criticality or sensitivity<br />
of the data sets these contain. <ref name="CyberMagazine">Cyber Security Magazine, "The Role of Data Governance in Cybersecurity". Available: https://cybersecurity-magazine.com/the-role-of-data-governance-in-cybersecurity/?utm_source=rss&amp;utm_medium=rss&amp;utm_campaign=the-role-of-data-governance-in-cybersecurity. [Accessed 26 Apr 2022].</ref><br />
<br />
====Application security development====<br />
Application security describes security measures at the application<br />
level that aim to prevent data or code within the app from being stolen<br />
or hijacked. It encompasses the security considerations that happen<br />
during application development and design, but it also involves systems<br />
and approaches to protect apps after they get deployed. Application<br />
security may include hardware, software, and procedures that identify or<br />
minimize security vulnerabilities.<ref name="vmware">VmWare, "What is application security?". Available: https://www.vmware.com/topics/glossary/content/application-security.html [Accessed 28 April 2022].</ref><br />
Application security development is important to ensure that your<br />
application is free from coding errors and bugs. And controls the risk<br />
and helps safeguard against security vulnerabilities. Application<br />
security development is the process of making applications more secure<br />
by finding and fixing security vulnerabilities. This is often done by<br />
enforcing software security best practices and using application<br />
security testing tools. <br />
<ref name="perforce">Perforce, "Application Security Development Best Practices". Available: https://www.perforce.com/blog/kw/application-security-development-best-practices. [Accessed 28 April 2022].</ref><br />
<br />
====Audit and compliance knowledge====<br />
A cyber security audit is designed to be a comprehensive review and<br />
analysis of your business’s IT infrastructure. It identifies threats and<br />
vulnerabilities, exposing weaknesses and high-risk practices.<br />
Regulations such as the EU GDPR (General Data Protection Regulation) can<br />
impose hefty penalties in the event of a breach that results in<br />
exploited data. A cyber security audit will help mitigate the<br />
consequences of a breach and demonstrate that your organization has<br />
taken the necessary steps to protect client and company data. <ref name="cyforsecure">Cyfor Secure, "What is a Cyber Security Audit and how can it help your organisation?". Available: https://cyforsecure.co.uk/services/cyber-assessment/cyber-security-audit/. [Accessed 28 April 2022].</ref><br />
<br />
Cybersecurity compliance is the organizational risk management method<br />
aligned with pre-defined security measures &amp; controls on how data<br />
confidentiality is ensured by its administrative procedures.<ref name="nordlayer">NordLayer, "Cybersecurity compliance: Everything you need to know". Available: https://nordlayer.com/blog/cybersecurity-compliance-everything-you-need-to-know/. [Accessed 28 April 2022].</ref><br />
All needed skills are developed through courses and certification.<br />
<br />
===Entry-Level Incident Response Positions===<br />
It is not always possible to advance to the position of incident<br />
responder in a straight line. Many professionals advance from entry- to<br />
mid-level positions before becoming a real incident responder or a<br />
member of a computer emergency response team (CERT).<br /><br />
These are some examples: <ref name="Infosec">Infosec, "Incident Responder Career Roadmap: From Entry Level to Executive". Available: https://resources.infosecinstitute.com/topic/incident-responder-career-roadmap-entry-level-executive/ [Accessed 28 April 2022].</ref></p><br />
<ul><br />
<li><h5 id="network-administrator">Network administrator</h5><br />
<p>This position’s experience will help potential incident responders<br />
develop networking skills. Attention to detail, as well as the ability<br />
to sift through system configurations, site layouts, and general network<br />
and communication setups, are essential in this field.</p></li><br />
<li><h5 id="system-administrator">System administrator</h5><br />
<p>Another crucial beginning point for an incident responder is to learn<br />
how to manage resources inside your organization as well as user<br />
behavior. Understanding the potential damage that users, inadequate<br />
security setups, and ineffective IT policies and procedures can cause on<br />
your network can provide prospective candidates with insight into the<br />
human component of an incident.</p></li><br />
<li><h5 id="security-administrator">Security administrator</h5><br />
<p>In such a position, basic hacking skills, penetration testing, and<br />
intrusion detection are all learned, which are crucial incident<br />
responder skills when trying to replicate a breach or attack.<br />
Understanding the paths a cybercriminal will take when attempting to<br />
damage or obtain access to a system can greatly simplify the work of<br />
reverse engineering the incident.</p></li><br />
</ul><br />
<br />
=== Mid-Level Incident Response Positions ===<br />
<ul><br />
<li><h5<br />
id="computer-security-incident-response-team-csirt-engineer">Computer<br />
security incident response team (CSIRT) engineer</h5></li><br />
<li><h5 id="cyber-incident-responder">Cyber incident responder</h5></li><br />
<li><h5 id="incident-response-engineer">Incident response<br />
engineer</h5></li><br />
</ul><br />
<p>While each of these positions is different, they generally require<br />
very similar skills and characteristics in a candidate. At this level,<br />
personal characteristics such as problem solving, time management, and<br />
even presentation skills become more crucial as one’s career evolves<br />
into a management-facing role.</p><br />
<p>Technical skills include the ability to identify and minimize threats<br />
while maintaining communication with management and the rest of your<br />
team. Data analysis and evidence gathering become increasingly crucial,<br />
and the circumstances in which your services are deployed get more<br />
serious.</p><br />
Problem-solving skills are crucial at this level of incident<br />
response, and as the stakes rise, so does the pressure in each<br />
situation. At this level, programming abilities are essential since<br />
incident responders may be needed to reverse engineer malicious code or<br />
even create patches for vulnerable network applications or services. <ref name="coursera">Coursera, "10 Popular Cybersecurity Certifications [2022 Updated]". Available: https://www.coursera.org/articles/popular-cybersecurity-certifications [Accessed 28 April 2022].</ref><br />
<br />
===Senior-Level Incident Response Positions===<br />
<ul><br />
<li><h5 id="intrusion-detection-specialist">Intrusion detection<br />
specialist:</h5></li><br />
</ul><br />
<p>A CISSP certification might help a potential candidate in preparing<br />
for the profession. The role of an intrusion detection specialist is to<br />
find and stop any unwanted communications.</p><br />
<ul><br />
<li><h5 id="incident-manager">Incident manager:</h5></li><br />
</ul><br />
Expected to plan, oversee, manage, and supervise all incident<br />
response team actions. Is in charge of reporting all current events to<br />
senior management and stakeholders, as well as acting as the technical<br />
lead on active incidents for incident responders. Prepares threat and<br />
impact assessments and reports them known to management.<ref name="coursera"></ref><br />
<br />
==Certificates== <br />
There is a vast number of different certificates and the road map to<br />
being a certified professional could be very different<ref name="Coursera">Coursera, "10 Popular Cybersecurity Certifications [2022 Updated]," [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications. [Accessed 30 Apr 2022].</ref><br />
<ref name="NICCS">NICCS, "Cybersecurity Certifications," [Online]. Available: hhttps://niccs.cisa.gov/about-niccs/cybersecurity-certifications. [Accessed 30 Apr 2022].</ref> . One possible<br />
approach is to start with basic certificates from the different branches<br />
of service and move to more specific and demanding focused<br />
certification. Also, some jobs require certain clearances, either from<br />
industry, or from the government. One small selection of different<br />
possible certificates is brought out in following paragraphs.<br />
<br />
Security+ is a CompTIA certification that is considered a basic cert<br />
among cybersecurity professionals. It covers the topics of risk<br />
management and threat assessment.<br />
Network+ is also offered by CompTIA this certification (like the name<br />
implies) focuses on networking infrastructure and operations. It is<br />
considered a foundational certification.<br />
The Certified Information Systems Security Professional (CISSP) is a<br />
more advanced certification designed for cybersecurity professionals<br />
with at least five years of work experience. The certification covers<br />
topics such as architecture, engineering, and management.</p><br />
The Certified Ethical Hacker (CEH) certification is also considered a<br />
more advanced cert because it generally requires that applicants have<br />
multiple years of work experience. The goal of an ethical hacker<br />
certification is to be able to understand how cyber attacks unfold in<br />
order to improve threat assessment and mitigation skills.<ref name="cyberguide">Cybersecurity Guide, "How to become a cybersecurity specialist", [Online]. Available: https://cybersecurityguide.org/careers/security-specialist/. [Accessed 27 April 2022].</ref><br />
This is definitely not all, when one looks for more information, following link could be searched, to get more in depth knowledge about<br />
different possibilities.<br />
<br />
Hereby, with the help of this matrix a possible taxonomy of different 436 listed certificates in branches are<br />
presented.<ref name="Pauljeremy">"Cybersecurity Roadmap," [Online]. Available: https://pauljerimy.com/2020/10/12/scr-oct-2020-update/. [Accessed 30 Apr 2022].</ref><br />
<br />
[[File:analystimage5.png|1000px|thumb|Certificate matrix <ref>"Certification roadmap". Available at https://pauljerimy.com/security-certification-roadmap</ref>]]<br />
<br />
=== Communication and Network Security===<br />
Communication and network security covers the ability to secure<br />
communication channels and networks. Topics include secure and converges<br />
protocols, wireless networks, cellular networks, hardware operations<br />
(warranty and redundant power), and third-party connectivity. IP<br />
networking are also included in this domain.<br />
===Identity and Access Management===<br />
The identity and access management domain covers the attacks that<br />
target the human gateway to gain access to data. Other topics include<br />
ways to identify users with rights to access the information and<br />
servers. Identity and access management covers the topics of<br />
applications, Single sign-on authentication, privilege escalation,<br />
Kerberos, rule-based or risk-based access control, proofing and<br />
establishment of identity.<br />
===Security Architecture and Engineering===<br />
The security architecture and engineering domain covers important<br />
topics concerning security engineering plans, designs and principles,<br />
Topics include assessing and mitigating information system<br />
vulnerabilities, fundamental concepts of security models and security<br />
architectures in critical areas like access control. Cloud systems,<br />
cryptography, system infiltrations (ransomware, fault-injection and<br />
more) and virtualized systems are also covered in this domain.<br />
===Asset Security===<br />
The Asset Security domain deals with the issues related to the<br />
collection, storage, maintenance, retention and destruction of data. It<br />
also covers knowledge of different roles regarding data handling (owner,<br />
controller and custodian) as well as data protection methods and data<br />
states. Other topics include resource provision, asset classification<br />
and data lifecycle management.<br />
===Security and Risk Management===<br />
The security and risk management domain covers general on skills<br />
related to the implementation of user awareness programs as well as<br />
security procedures. Emphasis is also placed on risk management<br />
concerning the acquisition of new services, hardware and software<br />
(supply chain). Other skills include social engineering defense<br />
mechanisms.<br />
===Security Assessment and Testing===<br />
The security assessment and testing domain deals with all the<br />
techniques and tools used to find system vulnerabilities, weaknesses and<br />
potential areas of concern not addressed by security procedures and<br />
policies. Attack simulations, vulnerability assessment, compliance<br />
checks, and ethical disclosure also fall under this domain.<br />
===Software Security===<br />
The software development security domain deals with implementing<br />
software-based security protocols within environment for which the IT<br />
professional is responsible. Risk analysis, vulnerability identification<br />
and auditing of source codes are all covered in this subset. Additional<br />
topics include software-designed security, maturity models, development<br />
methodologies, open-source and third-party development security.<br />
===Security operations===<br />
The security operations domain covers topics ranging from<br />
investigations and digital forensic to detection and intrusion<br />
prevention tools, sandboxing and firewalls. Topics include user and<br />
entity behavior analytics, threat intelligence (threat hunting and<br />
threat feeds) log management, artifacts (mobile, computer and network),<br />
machine learning and AI-based tools, penetration testing, and<br />
exploitation development. These for sub-domains are lister here.</p><br />
<li>Forensics</li><br />
<li>Incident Handling</li><br />
<li>Penetration Testing</li><br />
<li>Exploitation</li><br />
<br />
==Education==<br />
[[File:Analystimage7.png|400px|thumb|Comparison degree vs Certificate <ref>"Comparison Table". Available at https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</ref>]]<br />
The entry level monitoring specialist is hired by Estonian<br />
Information System Authority even if there is no formal IT education,<br />
but readiness to learn and moderate knowledge of different operation<br />
systems is enough to start the career. <ref name="cv">cv.ee, "SEIRESPETSIALIST - tule Eesti küberruumi valvuriks!". Available: https://www.cv.ee/en/vacancy/792782/riigi-infosusteemi-amet/seirespetsialist-tule-eesti-kuberruumi-valvuriks [Accessed 28 April 2022].</ref><br />
Nevertheless, like most other high qualification careers jobs falling<br />
under the cybersecurity specialist category require some form of formal<br />
education. However, since cybersecurity specialist jobs can fall across<br />
a wide spectrum of job descriptions and responsibilities, it is possible<br />
to obtain a specialist job after completing many levels of different<br />
computer related education.<br />
<br />
If one is looking for a cybersecurity related education, for example<br />
in EU, 137 courses/programs could be found that relate to keyword IT or<br />
cybersecurity. <ref name="enisa">ENISA (European Union Agency for Cybersecurity), "Cybersecurity Education-Cybersecurity Higher Education Database". Available: https://www.enisa.europa.eu/topics/cybersecurity-education/education-map/education-courses [Accessed 26 April 2022].</ref><br />
<br />
Also, there is a great amount of discussion, if cyber security<br />
professional should have a degree or would be certification just enough.<br />
One interesting table is produces by Franklin University that compares<br />
benefits and/or drawbacks of each type of credential.<ref name="franklin">Franklin University, "Is Getting a Master's Degree in Cyber Security Worth It?". Available: https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it [Accessed 28 April 2022].</ref><br />
<br />
Certifications are generally good for people with little practical<br />
experience because they are known quantities in the industry and can<br />
help you get your foot in the door. They set a minimum knowledge bar.<br />
But some certifications are viewed more favorably than others.<br />
Certifications with renewal requirements are viewed better by hiring<br />
managers, but they also more costly in the long run because of the need<br />
for continuing education. Certifications are also good for showing<br />
in-depth expertise in a specialization within cybersecurity. Depending<br />
on your career goals, it may be advantageous to have a master’s<br />
degree—which shows your breadth of knowledge, critical thinking and<br />
leadership skills—and a certificate—which shows specific skill<br />
competency.<ref name="franklin"></ref><br />
As IT (Cyber) Security is still a relatively young discipline,<br />
universities and colleges are still figuring out which is the best<br />
approach for their degrees. Study programmes and curricula in Cyber<br />
Security are different. In general, here are the duration of Cyber<br />
Security degrees:<br />
<ref name="studyportal">Studyportals, "Why You Should Study a Cyber Security Degree in 2022". Available: https://www.mastersportal.com/articles/2722/why-you-should-study-a-cyber-security-degree-in-2022.html [Accessed 28 April 2022].</ref><br />
<ul><br />
<li><p>Bachelor’s degrees in Cyber Security take 3 or 4 years in most<br />
countries.</p></li><br />
<li><p>Master’s courses in Cyber Security take between 1-2 years to<br />
complete.</p></li><br />
<li><p>PhD programmes in Cyber Security last 3-5 years. Some only take 1<br />
or 2 years, but they are less common.</p><br />
</li><br />
</ul><br />
<br />
Generalization could me made that on bachelor level the general<br />
knowledge about the cyber issues are obtained. On master level the<br />
specialization courses are taken and the person can choose more specific<br />
topics to study. It is on master level where strengths of the cyber<br />
specialist can be developed further and up-do date knowledge obtained in<br />
specifics. PhD is serious science and involves teaching, lot of<br />
scientific work and writing for publications.<br />
<br />
==Salary==<br />
<p>Even if the salary can be very different, compared to the skills and<br />
experience, an generalization can be made. Cyber Security professionals<br />
in CSIRT, and in other entities earn quite well, from the start. First,<br />
some comparison from the United States. The average CSIRT analyst salary<br />
in the USA is $97,500 per year or $50 per hour. Entry level positions<br />
start at $48,875 per year while most experienced workers make up to<br />
$135,373 per year.<ref name="talent">talent.com, "Csirt Analyst average salary in USA 2022". Available: https://www.talent.com/salary?job=csirt+analyst [Accessed 28 April 2022].</ref><br />
<br />
There are multiple positions you can occupy in this field. They have<br />
in common great salaries and high demand for technical skills, attention<br />
to details, problem-solving mentality, and the ability to analyze risks.<br />
Here are the average annual salaries in the United States, according to<br />
Payscale: <ref name="studyportal"></ref><br />
<ul><br />
<li><p>Cryptographer – 100,000 USD</p></li><br />
<li><p>Information Security Officer – 91,000 USD</p></li><br />
<li><p>Security Assessor – 90,000 USD</p></li><br />
<li><p>Security Engineer – 88,000 USD</p></li><br />
<li><p>Penetration Tester – 81,000 USD</p></li><br />
<li><p>Forensics Expert – 71,000 USD</p></li><br />
<li><p>Security Administrator – 65,000 USD</p><br />
</ul><br />
When looking into salaries in Estonia, one can find that there is a<br />
discussion that private sector is taking a toll from the public sector,<br />
and that the salaries in important agencies, as Information System<br />
Authority loose their employees to the better paid positions in private<br />
sector.<ref name="digigeenius">DiGi Geenius, "Kui-palju-riigi-jaoks-olulised-it-tootajad-tegelikult-palka-saavad". Available: https://digi.geenius.ee/rubriik/uudis/kui-palju-riigi-jaoks-olulised-it-tootajad-tegelikult-palka-saavad/ [Accessed 28 April 2022].</ref><br />
<ref name="tehnika">Postimees, "Riigi-it-tootajate-palgamaarad-kasvasid". Available: https://tehnika.postimees.ee/6887428/riigi-it-tootajate-palgamaarad-kasvasid [Accessed 28 April 2022].</ref><br />
But there is also a different view that average private sector worker<br />
could be hired as a top specialist in public sector and then the payment<br />
is higher. Nevertheless, it seems that the average payment in cyber<br />
security sector is any way higher that in other parts of the<br />
e-services. <ref name="digigeenius2">DiGi Geenius, "5000-eurostest-palkadest-it-tootajad-saavadki-palju-palka". Available: https://digi.geenius.ee/rubriik/uudis/5000-eurostest-palkadest-it-tootajad-saavadki-palju-palka [Accessed 28 April 2022].</ref><br />
<br />
==SOC==<br />
<p>A SOC is a facility where an organization’s network, applications,<br />
and endpoints are monitored and defended. The term was adapted from<br />
network operations centers (NOCs), where large telecommunication or<br />
corporate networks are monitored. When network security became more of a<br />
concern, security teams were formed within the NOCs, and eventually spun<br />
off into larger organizations of their own as the responsibilities of<br />
security teams grew increasingly complex and specialized. The security<br />
staff working in a security operations center are often called the SOC<br />
team.<ref name="exabeam">Exabeam, "CSIRT". Available: https://www.exabeam.com/incident-response/csirt/ [Accessed 28 APr 2022].</ref><br />
<br />
<p>Functions of the SOC team include, but are not limited to:<ref name="trellix">Trellix, "What Is a Security Operations Center (SOC)?". Available: https://www.trellix.com/en-us/security-awareness/operations/what-is-soc.html [Accessed 30 APr 2022].</ref></p><br />
<ol type="1"><br />
<li>Taking inventory of resources, to get a better understanding of the<br />
structure they are protecting.</li><br />
<li>Maintanence of the system, by constantly making updates and adding<br />
safeguards.</li><br />
<li>Monitoring the network for abnormalities with special tools.</li><br />
<li>Threat analysis of new attacks and vulnerabilities.</li><br />
<li>Responding to attacks, by acting as “first responders”. The SOC team<br />
will shut down and/or isolate endpoints, deleting files and lowering the<br />
impact as fast as possible.</li><br />
<li>Recovery of system stability and lost data. This may be done using<br />
backups, restarting endpoints or reconfiguring systems.</li><br />
<li>Logging all actions on the system, to be later used for analysis or<br />
forensics after an attack.</li><br />
<li>Investigating the root cause of an attack.</li><br />
<li>Auditing their own actions, to be in line with regulations of the<br />
organization, industry or governing body.</li><br />
</ol><br />
<br />
==CSIRT==<br />
<p>A CSIRT is a group that responds to security incidents when they<br />
occur. Key responsibilities of a CSIRT include:<br />
<ref name="exabeam"></ref><br />
===Creating and maintaining an incident response plan (IRP)===<br />
An incident response plan (IRP) is a set of written instructions for<br />
detecting, responding to and limiting the effects of an information<br />
security event. Incident response plans provide instructions for<br />
responding to many potential scenarios, including data breaches, denial<br />
of service/distributed denial of service attacks, firewall breaches,<br />
virus or malware outbreaks or insider threats. Without an incident<br />
response plan in place, organizations may either not detect the attack<br />
in the first place, or not follow proper protocol to contain the threat<br />
and recover from it when a breach is detected.<br />
<br />
https://www.stratacore.com/incidentresponseplan<br />
===Investigating and analyzing incidents===<br />
CSIRTs are also involved in improvement activities. After major<br />
computer security incidents occur, or when incidents are not handled in<br />
a timely or effective manner, a CSIRT will generally perform a<br />
postmortem of the incident and its response. This postmortem will<br />
identify the strengths and weakness of the response effort. Such reviews<br />
can identify weaknesses and holes in systems, infrastructure defenses,<br />
or policies that allowed the incident to take place. It can also<br />
identify problems with communication channels, interfaces, and<br />
procedures that inhibited the efficient resolution of the reported<br />
problem.<br />
<p>https://www.cisa.gov/uscert/bsi/articles/best-practices/incident-management/defining-computer-security-incident-response-teams</p><br />
<br />
===Managing internal communications and updates during or immediately after incidents occur===<br />
===Communicating with employees, shareholders, customers, and the press about incidents as needed===<br />
<p>There are various services within the CSIRT Services Framework that<br />
address communications, as they relate to security operations and<br />
incident response services. Some of these include Information Security<br />
Incident Coordination, Crisis Management Support, Vulnerability<br />
Disclosure, Situational Awareness Communication, and Awareness Building,<br />
to name a few. Sharing information and communicating with the general<br />
public and/or your constituency is appropriate in many different<br />
scenarios. These can range from proactive communications to reactive<br />
communications. Each scenario may be unique, and careful consideration<br />
should be given to when to release information to the public and what<br />
information should be released.</p><br />
<br />
<p>https://resources.sei.cmu.edu/asset_files/Handbook/2021_002_001_651819.pdf</p><br />
<br />
===Remediating incidents===<br />
Threat remediation is a strong and capable tool for fighting the<br />
cyber security compromises. As the word ‘remedy’ suggests, remediation<br />
process involves the treatment of a security breach. With the<br />
remediation practices, your cyber security team is able to eliminate<br />
suspicious activities and malicious attacks in the form of malware,<br />
ransomware, phishing and such. Even if you ‘kill’ the suspicious<br />
activity, the attackers can remain in your systems. If you want to<br />
contaminate and end the problem for good, your remediation processes<br />
must involve the detection of the cause. <ref name="logsign">Logsign, "What-is-remediation-in-cyber-security". Available: https://www.logsign.com/blog/what-is-remediation-in-cyber-security/. [Accessed 28 Apr 2022].</ref><br />
<br />
===Recommending technology, policy, governance, and training changes after security incidents===<br />
After all these actions, the SCIRT must contribute to the development<br />
of better policies, practices and has to recommend improvements. They<br />
are not working in the vacuum and their work has to create new and<br />
better standards for cyber security. <ref name="exabeam">Exabeam, "CSIRT". Available: https://www.exabeam.com/incident-response/csirt/ [Accessed 28 APr 2022].</ref><br />
<br />
==CERT==<br />
<p>The term “computer emergency response team” was coined in 1988. In<br />
response to the Morris worm attack that impacted thousands of servers on<br />
the Internet, DARPA funded the formation of the Computer Emergency<br />
Response Team Coordination Center (CERT-CC) at Carnegie Mellon<br />
University. The goal of CERT-CC was to help protect the internet by<br />
collecting and disseminating information on critical security<br />
vulnerabilities. Several other countries formed similar centers using<br />
the same acronym (despite threats of legal action by Carnegie Mellon for<br />
trademark infringement). Now the term CERT refers to any emergency<br />
response team that deals with cyber threats. Many people use CERT-CC<br />
interchangeably with CSIRT, though the charter of a CERT is information<br />
sharing in order to help other response teams respond to threats against<br />
their own infrastructure.</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<p>In general, the designation of CERT is helpful in applying real-world<br />
solutions to various cybersecurity problems. They may be government<br />
contractors or employees of a major corporation. For example, the U.S.<br />
Computer Emergency Readiness Team (US-CERT) operates under the U.S.<br />
Department of Homeland Security.</p><br />
<p>https://www.techopedia.com/definition/31003/computer-emergency-response-team-cert</p><br />
<p>In Estonia CERT is designated as CERT-EE. It was established in 2006,<br />
as an organization responsible for the management of security incidents<br />
in .ee computer networks. It is also a national contact point for<br />
international co-operation in the field of IT security.</p><br />
<p>https://www.ria.ee/en/cyber-security/cert-ee.html</p><br />
==Difference between SOC/CSIRT/CERT==<br />
[[File:analystimage3.png|300px|thumb|SOC/CSIRT/CERT <ref name="exabeam></ref>]]<br />
How CSIRTs differ from CERTs and SOCs. There are overlapping<br />
responsibilities between a community emergency response team (CERT),<br />
computer security incident response team (CSIRT), and security<br />
operations center (SOC). To add to this confusion, frequently, the terms<br />
CERT and CSIRT are used interchangeably, despite the important<br />
differences.<br />
<br />
==Understand the primary roles and characteristics of a CERT, CSIRT, and SOC.==<br />
[[File:analystimage4.png|600px|thumb|Primary Roles of CERT, CSIRT, and SOC<ref name="exabeam></ref>]]<br />
<p>So, using strict definitions, a CERT collects and disseminates<br />
security information, typically for the benefit of a country or an<br />
industry. A CSIRT is a cross-functional team that responds to incidents<br />
on behalf of a country or an organization. A SOC is where a country or<br />
organization monitors and defends its network, servers, applications,<br />
and endpoints.</p><br />
<br />
==Future==<br />
<p>And the Cyber security problem is only getting bigger. According to a<br />
report published by Accenture, the number of cyber security breaches<br />
increased by 11 percent from 2017 to 2018. The cost of such breaches is<br />
astronomical–about $600 billion worldwide, according to the Economic<br />
Impact of Cybercrime report.</p><br />
<p>https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me</p><br />
<p>Job projections for cybersecurity are staggering. The Bureau of Labor<br />
Statistics in US predicts that careers in the cybersecurity field will<br />
grow by 32% by 2028. That makes cybersecurity one of the top 10<br />
fastest-growing jobs in the country. In the United States alone, jobs<br />
for Information Security Analysts are expected to grow by 15% by<br />
2024.</p><br />
<p>https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</p><br />
<p>Most likely this trend is also similar in other countries.</p><br />
<p>When checking Estonian job portals, there is a constant need for<br />
people for cyber security related positions. Also, linkedin search gives<br />
approximately 30 vacancies immediately. There are banks, logistics<br />
companies, e-shops, and software producers.</p><br />
<p>https://ee.linkedin.com/jobs/cyber-security-jobs?countryRedirected=1&amp;position=1&amp;pageNum=0</p><br />
<p>Trends that affect companies create need for constant cyber security<br />
services. Increasing number of home/remote offices require secure<br />
corporate networks and security of remote devices. One example is from<br />
this year, when sloppy remote desktop set-up paralyzed systems of 17<br />
companies.</p><br />
<p>https://www.aripaev.ee/uudised/2022/04/20/ria-lohakas-kaugtoolaua-seadistus-halvas-martsis-vahemalt-17-juhul-ettevotete-it-susteemid</p><br />
<p>Also, no service can exists without robust infrastructure - servers,<br />
databases, applications. As all previously mentioned devices and<br />
services are at constant scanning and surveillance. So, the breach<br />
detection and immediate action demands 24/7 services. Even if lot of<br />
things could be automated, there is a need for human specialists (at<br />
least, at the moment). Third growing field is also a forensic<br />
investigation, as every attack must be investigated in order to be ready<br />
to repel next attacks. So data recovery and evidence collection is<br />
another important field of work that need skilled and professional<br />
workers.</p><br />
<p>Even, if the specifics of the entity, be it CSIRT, CERT or SOC, are<br />
different, the fundamentals of the work are the same. Professional<br />
knowledge of the networks, operational systems, hardware, scripting, and<br />
several other wider IT related knowledge is needed. As there is no<br />
single way to reach to it, every single person can find one’s strongest<br />
sides and develop them with knowledge of weaker side, in order to know,<br />
when to as for help.</p><br />
<br />
</body><br />
</html></div>Mavaldhttps://wiki.itcollege.ee/index.php?title=Hiring_a_Cyber_Security_Incident_Analyst&diff=142250Hiring a Cyber Security Incident Analyst2022-05-01T15:59:54Z<p>Mavald: /* Understand the primary roles and characteristics of a CERT, CSIRT, and SOC. */</p>
<hr />
<div>==A Cyber Security Incident Analyst==<br />
<br />
[[File:image1.png|600px|thumb|Job advertisement <ref>"Job Advertisement". Available at https://www.projectpeople.com/jobs/</ref>]]<br />
===Cyber security incident analyst in SOC/CSIRT/CERT===<br />
This article delves into the job title of Cyber Security Incident<br />
Analyst and provides an overview of the acronyms SOC/CSIRT/CERT. A brief<br />
history of the job is discussed here, as well as a possible career path,<br />
education, experience, and other characteristics required for work in<br />
computer security-related organizations. The article also provides a<br />
brief history of SOC/CSIRT/CERT, as well as a comparison of their<br />
differences and similarities.<br />
===Cyber Security Incident Analyst Skill Set===<br />
What skill set is expected from the Cyber Security Incident Analyst? Below written lines are taken from the same job advertisement depicted<br />
on the left side of this article:<br />
As a Security Incident Analyst your responsibilities will include:<br />
<ul><br />
<li>Continuous monitoring of security tooling</li><br />
<li>Performing regular and ad-hoc vulnerability assessments</li><br />
<li>Carrying out ‘spot checks’</li><br />
<li>Reporting vulnerabilities to the PVG via the alerts system</li><br />
<li>Maintaining and documenting logging systems</li><br />
<li>Developing centralized logging, reporting and intelligence<br />
platforms</li><br />
<li>‘Light touch’ penetration testing with open source tooling<br />
(Metasploit)</li><br />
</ul><br />
Knowledge &amp; Experience required:<br />
<ul><br />
<li>SOC, CSIRT or CERT operational environment experience</li><br />
<li>Windows / Linux experience</li><br />
<li>TCP /IP networking protocol knowledge</li><br />
<li>Experience reviewing and analyzing Security Events from various<br />
monitoring and logging sources</li><br />
<li>Experience in website and web application security assessment or<br />
penetration testing</li><br />
<li>Experience of using Metasploit</li><br />
<li>Scripting knowledge using BASH, Python, Perl, Ruby</li><br />
<li>Skills in Host and Network Forensics</li><br />
</ul><br />
As one can see the description of the duties is wide and also the<br />
knowledge and experience that is required is noteworthy. So, where to<br />
start to find out the way to get this kind of knowledge and<br />
expertize.<br />
===Possible career path===<br />
Next part of the paper is aiming to depict a possible ways, how to<br />
develop oneself, and move along the career pathway in cybersecurity<br />
field. Topics of development, education, experience and certification<br />
are covered.<br />
[[File:analystimage2.png|1000px|thumb|Career path <ref>"Possible Career Path". Available at https://www.cyberseek.org/pathway.html</ref>]]<br />
<br />
===Junior/Senior===<br />
Start with an entry-level job in IT. Hands-on experience is often the<br />
most effective way to prepare for certification exams. Start<br />
accumulating work experience with an entry-level role as a cybersecurity<br />
analyst. Many cybersecurity professionals start off in more general IT<br />
roles. The skills, practices, and technologies you’ll use as a<br />
cybersecurity professional will continue to evolve along with computer<br />
and network technology. The desire to learn, ability to problem solve,<br />
and attention to detail will serve you well in this field. Other, more<br />
technical skills and technologies to learn include:<ref name="certification">Popular Cyber Security Certificates [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications [Accessed 25 April 2022].</ref><br />
<br />
====SIEM tools (security information and event management)====<br />
Security Information and Event Management (SIEM) is a set of tools<br />
and services offering a holistic view of an organization’s information<br />
security. SIEM works by combining two technologies:<br />
<li>Security information management (SIM), which collects data from log<br />
files for analysis and reports on security threats and events, and</li><br />
<li>security event management (SEM), which conducts real-time system<br />
monitoring, notifies network admins about important issues and<br />
establishes correlations between security events. There are a number of<br />
security information and event management solutions on the market.<br />
ArcSight ESM, IBM QRadar and Splunk are among the most popular. <ref name="SIEM">Application security, SIEM [Online]. Available: https://www.imperva.com/learn/application-security/siem/. [Accessed 27 4 2022].</ref></li><br />
<br />
====Firewalls, Intrusion Detection Systems (IDS), and Intrusion Prevention Systems(IPS)====<br />
Firewalls can be two types, hardware and software firewalls. Software<br />
firewall is a firewall that is installed on a computer or server, and<br />
tasked with network security. It works with a wide variety of other<br />
technology security solutions to provide more robust and cohesive<br />
security for enterprises of all sizes. When a software firewall is<br />
installed on a server, it opens up like an umbrella of protection over<br />
all other computers connected to the network. It is able to monitor both<br />
incoming and outgoing traffic for potential risk or suspicious user<br />
behavior, and also makes setting security policies much easier, faster<br />
and more flexible. Hardware firewall is positioned between the network<br />
and devices, allowing traffic to funnel through the firewall for a close<br />
inspection and analysis. A hardware firewall, a term often<br />
interchangeable with network or next-generation firewall, protects the<br />
network gateways for an enterprise. Hardware firewall is physical<br />
hardware, installed between network elements and connected devices, and<br />
is tasked with filtering traffic for cyber threat to the network or<br />
devices. Filtering out unauthorized or suspicious users based on traffic<br />
analysis is one of the biggest benefits of hardware firewall. <ref name="sangfor">Sangfor, "What is Software Firewall? Difference between Hardware Firewall and Software Firewall, [Online]. Available: https://www.sangfor.com/blog/cybersecurity/what-is-software-firewall-difference-between-hardware-firewall-and-software-firewall [Accessed 26 4 2022].</ref><br />
<br />
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems<br />
(IPS) are both parts of the network infrastructure. IDS/IPS compare<br />
network packets to a cyberthreat database containing known signatures of<br />
cyberattacks — and flag any matching packets. IDS doesn’t alter the<br />
network packets in any way, whereas IPS prevents the packet from<br />
delivery based on the contents of the packet, much like how a firewall<br />
prevents traffic by IP address. <ref name="Varonis">Varonis, "What is Software Firewall? IDS vs. IPS: What is the Difference?, [Online]. Available: https://www.varonis.com/blog/ids-vs-ips [Accessed 26 4 2022].</ref><br />
<br />
====Digital forensics====<br />
Digital forensics is a branch of forensic science that focuses on<br />
identifying, acquiring, processing, analyzing, and reporting on data<br />
stored electronically. Electronic evidence is a component of almost all<br />
criminal activities and digital forensics support is crucial for law<br />
enforcement investigations. Electronic evidence can be collected from a<br />
wide array of sources, such as computers, smartphones, remote storage,<br />
unmanned aerial systems, shipborne equipment, and more.<ref name="interpol">Interpol, "Digital forensics". Available: https://www.interpol.int/How-we-work/Innovation/Digital-forensics. [Accessed 28 4 2022].</ref> <br />
Investigative process of digital forensics can be divided into several stages. There are four major stages: preservation, collection,<br />
examination, and analysis. All these four stages need a deep understanding of computers, technology across a broad spectrum, and cybersecurity principles and<br />
practices, a working knowledge of computers, networks, and coding, in-depth investigative abilities, critical-thinking skills and analytical talent the ability to effectively communicate and work with a<br />
wide range of people. <ref name="ecpi">"Digital forensics". Available: https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me. [Accessed 26 4 2022].</ref><br />
<br />
====Mobile device management====<br />
Mobile device management (MDM) is software that allows IT<br />
administrators to control, secure and enforce policies on smartphones,<br />
tablets and other endpoints. Mobile device management software emerged<br />
in the early 2000s as a way to control and secure the personal digital<br />
assistants and smartphones that business workers began to use. The<br />
consumer smartphone boom that started with the launch of the Apple<br />
iPhone in 2007 led to the bring your own device (BYOD) trend, which<br />
fueled further interest in MDM.<ref name="techtarget">Techtarget, "Mobile Device Management". Available: https://www.techtarget.com/searchmobilecomputing/definition/mobile-device-management [Accessed 27 4 2022].</ref><br />
<br />
====Data management====<br />
Sometimes the data management is neglected, but this part has a<br />
crucial role when learning for good cyber security practices. Majority<br />
of cyber security programs include a special courses on data management.<br />
Data management is a method of organizing and maintaining data processes<br />
that are required in almost every business operations. The benefits of<br />
data management can be found accounting, statistics, logistics planning<br />
and other disciplines including corporate computing.<ref name="GlobalUni">Global Universities, "MSc Data Management and Cyber Security". Available: https://globaluniversities.in/msc-data-management-cyber-security. [Accessed 26 Apr 2022].</ref><br />
Data governance (and management) play a fundamental role in<br />
protecting an organization’s data. Ensuring that the right people have<br />
the right access and that appropriate security controls are in place to<br />
protect each system or service, based on the criticality or sensitivity<br />
of the data sets these contain. <ref name="CyberMagazine">Cyber Security Magazine, "The Role of Data Governance in Cybersecurity". Available: https://cybersecurity-magazine.com/the-role-of-data-governance-in-cybersecurity/?utm_source=rss&amp;utm_medium=rss&amp;utm_campaign=the-role-of-data-governance-in-cybersecurity. [Accessed 26 Apr 2022].</ref><br />
<br />
====Application security development====<br />
Application security describes security measures at the application<br />
level that aim to prevent data or code within the app from being stolen<br />
or hijacked. It encompasses the security considerations that happen<br />
during application development and design, but it also involves systems<br />
and approaches to protect apps after they get deployed. Application<br />
security may include hardware, software, and procedures that identify or<br />
minimize security vulnerabilities.<ref name="vmware">VmWare, "What is application security?". Available: https://www.vmware.com/topics/glossary/content/application-security.html [Accessed 28 April 2022].</ref><br />
Application security development is important to ensure that your<br />
application is free from coding errors and bugs. And controls the risk<br />
and helps safeguard against security vulnerabilities. Application<br />
security development is the process of making applications more secure<br />
by finding and fixing security vulnerabilities. This is often done by<br />
enforcing software security best practices and using application<br />
security testing tools. <br />
<ref name="perforce">Perforce, "Application Security Development Best Practices". Available: https://www.perforce.com/blog/kw/application-security-development-best-practices. [Accessed 28 April 2022].</ref><br />
<br />
====Audit and compliance knowledge====<br />
A cyber security audit is designed to be a comprehensive review and<br />
analysis of your business’s IT infrastructure. It identifies threats and<br />
vulnerabilities, exposing weaknesses and high-risk practices.<br />
Regulations such as the EU GDPR (General Data Protection Regulation) can<br />
impose hefty penalties in the event of a breach that results in<br />
exploited data. A cyber security audit will help mitigate the<br />
consequences of a breach and demonstrate that your organization has<br />
taken the necessary steps to protect client and company data. <ref name="cyforsecure">Cyfor Secure, "What is a Cyber Security Audit and how can it help your organisation?". Available: https://cyforsecure.co.uk/services/cyber-assessment/cyber-security-audit/. [Accessed 28 April 2022].</ref><br />
<br />
Cybersecurity compliance is the organizational risk management method<br />
aligned with pre-defined security measures &amp; controls on how data<br />
confidentiality is ensured by its administrative procedures.<ref name="nordlayer">NordLayer, "Cybersecurity compliance: Everything you need to know". Available: https://nordlayer.com/blog/cybersecurity-compliance-everything-you-need-to-know/. [Accessed 28 April 2022].</ref><br />
All needed skills are developed through courses and certification.<br />
<br />
===Entry-Level Incident Response Positions===<br />
It is not always possible to advance to the position of incident<br />
responder in a straight line. Many professionals advance from entry- to<br />
mid-level positions before becoming a real incident responder or a<br />
member of a computer emergency response team (CERT).<br /><br />
These are some examples: <ref name="Infosec">Infosec, "Incident Responder Career Roadmap: From Entry Level to Executive". Available: https://resources.infosecinstitute.com/topic/incident-responder-career-roadmap-entry-level-executive/ [Accessed 28 April 2022].</ref></p><br />
<ul><br />
<li><h5 id="network-administrator">Network administrator</h5><br />
<p>This position’s experience will help potential incident responders<br />
develop networking skills. Attention to detail, as well as the ability<br />
to sift through system configurations, site layouts, and general network<br />
and communication setups, are essential in this field.</p></li><br />
<li><h5 id="system-administrator">System administrator</h5><br />
<p>Another crucial beginning point for an incident responder is to learn<br />
how to manage resources inside your organization as well as user<br />
behavior. Understanding the potential damage that users, inadequate<br />
security setups, and ineffective IT policies and procedures can cause on<br />
your network can provide prospective candidates with insight into the<br />
human component of an incident.</p></li><br />
<li><h5 id="security-administrator">Security administrator</h5><br />
<p>In such a position, basic hacking skills, penetration testing, and<br />
intrusion detection are all learned, which are crucial incident<br />
responder skills when trying to replicate a breach or attack.<br />
Understanding the paths a cybercriminal will take when attempting to<br />
damage or obtain access to a system can greatly simplify the work of<br />
reverse engineering the incident.</p></li><br />
</ul><br />
<br />
=== Mid-Level Incident Response Positions ===<br />
<ul><br />
<li><h5<br />
id="computer-security-incident-response-team-csirt-engineer">Computer<br />
security incident response team (CSIRT) engineer</h5></li><br />
<li><h5 id="cyber-incident-responder">Cyber incident responder</h5></li><br />
<li><h5 id="incident-response-engineer">Incident response<br />
engineer</h5></li><br />
</ul><br />
<p>While each of these positions is different, they generally require<br />
very similar skills and characteristics in a candidate. At this level,<br />
personal characteristics such as problem solving, time management, and<br />
even presentation skills become more crucial as one’s career evolves<br />
into a management-facing role.</p><br />
<p>Technical skills include the ability to identify and minimize threats<br />
while maintaining communication with management and the rest of your<br />
team. Data analysis and evidence gathering become increasingly crucial,<br />
and the circumstances in which your services are deployed get more<br />
serious.</p><br />
Problem-solving skills are crucial at this level of incident<br />
response, and as the stakes rise, so does the pressure in each<br />
situation. At this level, programming abilities are essential since<br />
incident responders may be needed to reverse engineer malicious code or<br />
even create patches for vulnerable network applications or services. <ref name="coursera">Coursera, "10 Popular Cybersecurity Certifications [2022 Updated]". Available: https://www.coursera.org/articles/popular-cybersecurity-certifications [Accessed 28 April 2022].</ref><br />
<br />
===Senior-Level Incident Response Positions===<br />
<ul><br />
<li><h5 id="intrusion-detection-specialist">Intrusion detection<br />
specialist:</h5></li><br />
</ul><br />
<p>A CISSP certification might help a potential candidate in preparing<br />
for the profession. The role of an intrusion detection specialist is to<br />
find and stop any unwanted communications.</p><br />
<ul><br />
<li><h5 id="incident-manager">Incident manager:</h5></li><br />
</ul><br />
Expected to plan, oversee, manage, and supervise all incident<br />
response team actions. Is in charge of reporting all current events to<br />
senior management and stakeholders, as well as acting as the technical<br />
lead on active incidents for incident responders. Prepares threat and<br />
impact assessments and reports them known to management.<ref name="coursera"></ref><br />
<br />
==Certificates== <br />
There is a vast number of different certificates and the road map to<br />
being a certified professional could be very different<ref name="Coursera">Coursera, "10 Popular Cybersecurity Certifications [2022 Updated]," [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications. [Accessed 30 Apr 2022].</ref><br />
<ref name="NICCS">NICCS, "Cybersecurity Certifications," [Online]. Available: hhttps://niccs.cisa.gov/about-niccs/cybersecurity-certifications. [Accessed 30 Apr 2022].</ref> . One possible<br />
approach is to start with basic certificates from the different branches<br />
of service and move to more specific and demanding focused<br />
certification. Also, some jobs require certain clearances, either from<br />
industry, or from the government. One small selection of different<br />
possible certificates is brought out in following paragraphs.<br />
<br />
Security+ is a CompTIA certification that is considered a basic cert<br />
among cybersecurity professionals. It covers the topics of risk<br />
management and threat assessment.<br />
Network+ is also offered by CompTIA this certification (like the name<br />
implies) focuses on networking infrastructure and operations. It is<br />
considered a foundational certification.<br />
The Certified Information Systems Security Professional (CISSP) is a<br />
more advanced certification designed for cybersecurity professionals<br />
with at least five years of work experience. The certification covers<br />
topics such as architecture, engineering, and management.</p><br />
The Certified Ethical Hacker (CEH) certification is also considered a<br />
more advanced cert because it generally requires that applicants have<br />
multiple years of work experience. The goal of an ethical hacker<br />
certification is to be able to understand how cyber attacks unfold in<br />
order to improve threat assessment and mitigation skills.<ref name="cyberguide">Cybersecurity Guide, "How to become a cybersecurity specialist", [Online]. Available: https://cybersecurityguide.org/careers/security-specialist/. [Accessed 27 April 2022].</ref><br />
This is definitely not all, when one looks for more information, following link could be searched, to get more in depth knowledge about<br />
different possibilities.<br />
<br />
Hereby, with the help of this matrix a possible taxonomy of different 436 listed certificates in branches are<br />
presented.<ref name="Pauljeremy">"Cybersecurity Roadmap," [Online]. Available: https://pauljerimy.com/2020/10/12/scr-oct-2020-update/. [Accessed 30 Apr 2022].</ref><br />
<br />
[[File:analystimage5.png|1000px|thumb|Certificate matrix <ref>"Certification roadmap". Available at https://pauljerimy.com/security-certification-roadmap</ref>]]<br />
<br />
=== Communication and Network Security===<br />
Communication and network security covers the ability to secure<br />
communication channels and networks. Topics include secure and converges<br />
protocols, wireless networks, cellular networks, hardware operations<br />
(warranty and redundant power), and third-party connectivity. IP<br />
networking are also included in this domain.<br />
===Identity and Access Management===<br />
The identity and access management domain covers the attacks that<br />
target the human gateway to gain access to data. Other topics include<br />
ways to identify users with rights to access the information and<br />
servers. Identity and access management covers the topics of<br />
applications, Single sign-on authentication, privilege escalation,<br />
Kerberos, rule-based or risk-based access control, proofing and<br />
establishment of identity.<br />
===Security Architecture and Engineering===<br />
The security architecture and engineering domain covers important<br />
topics concerning security engineering plans, designs and principles,<br />
Topics include assessing and mitigating information system<br />
vulnerabilities, fundamental concepts of security models and security<br />
architectures in critical areas like access control. Cloud systems,<br />
cryptography, system infiltrations (ransomware, fault-injection and<br />
more) and virtualized systems are also covered in this domain.<br />
===Asset Security===<br />
The Asset Security domain deals with the issues related to the<br />
collection, storage, maintenance, retention and destruction of data. It<br />
also covers knowledge of different roles regarding data handling (owner,<br />
controller and custodian) as well as data protection methods and data<br />
states. Other topics include resource provision, asset classification<br />
and data lifecycle management.<br />
===Security and Risk Management===<br />
The security and risk management domain covers general on skills<br />
related to the implementation of user awareness programs as well as<br />
security procedures. Emphasis is also placed on risk management<br />
concerning the acquisition of new services, hardware and software<br />
(supply chain). Other skills include social engineering defense<br />
mechanisms.<br />
===Security Assessment and Testing===<br />
The security assessment and testing domain deals with all the<br />
techniques and tools used to find system vulnerabilities, weaknesses and<br />
potential areas of concern not addressed by security procedures and<br />
policies. Attack simulations, vulnerability assessment, compliance<br />
checks, and ethical disclosure also fall under this domain.<br />
===Software Security===<br />
The software development security domain deals with implementing<br />
software-based security protocols within environment for which the IT<br />
professional is responsible. Risk analysis, vulnerability identification<br />
and auditing of source codes are all covered in this subset. Additional<br />
topics include software-designed security, maturity models, development<br />
methodologies, open-source and third-party development security.<br />
===Security operations===<br />
The security operations domain covers topics ranging from<br />
investigations and digital forensic to detection and intrusion<br />
prevention tools, sandboxing and firewalls. Topics include user and<br />
entity behavior analytics, threat intelligence (threat hunting and<br />
threat feeds) log management, artifacts (mobile, computer and network),<br />
machine learning and AI-based tools, penetration testing, and<br />
exploitation development. These for sub-domains are lister here.</p><br />
<li>Forensics</li><br />
<li>Incident Handling</li><br />
<li>Penetration Testing</li><br />
<li>Exploitation</li><br />
<br />
==Education==<br />
[[File:Analystimage7.png|400px|thumb|Comparison degree vs Certificate <ref>"Comparison Table". Available at https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</ref>]]<br />
The entry level monitoring specialist is hired by Estonian<br />
Information System Authority even if there is no formal IT education,<br />
but readiness to learn and moderate knowledge of different operation<br />
systems is enough to start the career. <ref name="cv">cv.ee, "SEIRESPETSIALIST - tule Eesti küberruumi valvuriks!". Available: https://www.cv.ee/en/vacancy/792782/riigi-infosusteemi-amet/seirespetsialist-tule-eesti-kuberruumi-valvuriks [Accessed 28 April 2022].</ref><br />
Nevertheless, like most other high qualification careers jobs falling<br />
under the cybersecurity specialist category require some form of formal<br />
education. However, since cybersecurity specialist jobs can fall across<br />
a wide spectrum of job descriptions and responsibilities, it is possible<br />
to obtain a specialist job after completing many levels of different<br />
computer related education.<br />
<br />
If one is looking for a cybersecurity related education, for example<br />
in EU, 137 courses/programs could be found that relate to keyword IT or<br />
cybersecurity. <ref name="enisa">ENISA (European Union Agency for Cybersecurity), "Cybersecurity Education-Cybersecurity Higher Education Database". Available: https://www.enisa.europa.eu/topics/cybersecurity-education/education-map/education-courses [Accessed 26 April 2022].</ref><br />
<br />
Also, there is a great amount of discussion, if cyber security<br />
professional should have a degree or would be certification just enough.<br />
One interesting table is produces by Franklin University that compares<br />
benefits and/or drawbacks of each type of credential.<ref name="franklin">Franklin University, "Is Getting a Master's Degree in Cyber Security Worth It?". Available: https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it [Accessed 28 April 2022].</ref><br />
<br />
Certifications are generally good for people with little practical<br />
experience because they are known quantities in the industry and can<br />
help you get your foot in the door. They set a minimum knowledge bar.<br />
But some certifications are viewed more favorably than others.<br />
Certifications with renewal requirements are viewed better by hiring<br />
managers, but they also more costly in the long run because of the need<br />
for continuing education. Certifications are also good for showing<br />
in-depth expertise in a specialization within cybersecurity. Depending<br />
on your career goals, it may be advantageous to have a master’s<br />
degree—which shows your breadth of knowledge, critical thinking and<br />
leadership skills—and a certificate—which shows specific skill<br />
competency.<ref name="franklin"></ref><br />
As IT (Cyber) Security is still a relatively young discipline,<br />
universities and colleges are still figuring out which is the best<br />
approach for their degrees. Study programmes and curricula in Cyber<br />
Security are different. In general, here are the duration of Cyber<br />
Security degrees:<br />
<ref name="studyportal">Studyportals, "Why You Should Study a Cyber Security Degree in 2022". Available: https://www.mastersportal.com/articles/2722/why-you-should-study-a-cyber-security-degree-in-2022.html [Accessed 28 April 2022].</ref><br />
<ul><br />
<li><p>Bachelor’s degrees in Cyber Security take 3 or 4 years in most<br />
countries.</p></li><br />
<li><p>Master’s courses in Cyber Security take between 1-2 years to<br />
complete.</p></li><br />
<li><p>PhD programmes in Cyber Security last 3-5 years. Some only take 1<br />
or 2 years, but they are less common.</p><br />
</li><br />
</ul><br />
<br />
Generalization could me made that on bachelor level the general<br />
knowledge about the cyber issues are obtained. On master level the<br />
specialization courses are taken and the person can choose more specific<br />
topics to study. It is on master level where strengths of the cyber<br />
specialist can be developed further and up-do date knowledge obtained in<br />
specifics. PhD is serious science and involves teaching, lot of<br />
scientific work and writing for publications.<br />
<br />
==Salary==<br />
<p>Even if the salary can be very different, compared to the skills and<br />
experience, an generalization can be made. Cyber Security professionals<br />
in CSIRT, and in other entities earn quite well, from the start. First,<br />
some comparison from the United States. The average CSIRT analyst salary<br />
in the USA is $97,500 per year or $50 per hour. Entry level positions<br />
start at $48,875 per year while most experienced workers make up to<br />
$135,373 per year.<ref name="talent">talent.com, "Csirt Analyst average salary in USA 2022". Available: https://www.talent.com/salary?job=csirt+analyst [Accessed 28 April 2022].</ref><br />
<br />
There are multiple positions you can occupy in this field. They have<br />
in common great salaries and high demand for technical skills, attention<br />
to details, problem-solving mentality, and the ability to analyze risks.<br />
Here are the average annual salaries in the United States, according to<br />
Payscale: <ref name="studyportal"></ref><br />
<ul><br />
<li><p>Cryptographer – 100,000 USD</p></li><br />
<li><p>Information Security Officer – 91,000 USD</p></li><br />
<li><p>Security Assessor – 90,000 USD</p></li><br />
<li><p>Security Engineer – 88,000 USD</p></li><br />
<li><p>Penetration Tester – 81,000 USD</p></li><br />
<li><p>Forensics Expert – 71,000 USD</p></li><br />
<li><p>Security Administrator – 65,000 USD</p><br />
</ul><br />
When looking into salaries in Estonia, one can find that there is a<br />
discussion that private sector is taking a toll from the public sector,<br />
and that the salaries in important agencies, as Information System<br />
Authority loose their employees to the better paid positions in private<br />
sector.<ref name="digigeenius">DiGi Geenius, "Kui-palju-riigi-jaoks-olulised-it-tootajad-tegelikult-palka-saavad". Available: https://digi.geenius.ee/rubriik/uudis/kui-palju-riigi-jaoks-olulised-it-tootajad-tegelikult-palka-saavad/ [Accessed 28 April 2022].</ref><br />
<ref name="tehnika">Postimees, "Riigi-it-tootajate-palgamaarad-kasvasid". Available: https://tehnika.postimees.ee/6887428/riigi-it-tootajate-palgamaarad-kasvasid [Accessed 28 April 2022].</ref><br />
But there is also a different view that average private sector worker<br />
could be hired as a top specialist in public sector and then the payment<br />
is higher. Nevertheless, it seems that the average payment in cyber<br />
security sector is any way higher that in other parts of the<br />
e-services. <ref name="digigeenius2">DiGi Geenius, "5000-eurostest-palkadest-it-tootajad-saavadki-palju-palka". Available: https://digi.geenius.ee/rubriik/uudis/5000-eurostest-palkadest-it-tootajad-saavadki-palju-palka [Accessed 28 April 2022].</ref><br />
<br />
==SOC==<br />
<p>A SOC is a facility where an organization’s network, applications,<br />
and endpoints are monitored and defended. The term was adapted from<br />
network operations centers (NOCs), where large telecommunication or<br />
corporate networks are monitored. When network security became more of a<br />
concern, security teams were formed within the NOCs, and eventually spun<br />
off into larger organizations of their own as the responsibilities of<br />
security teams grew increasingly complex and specialized. The security<br />
staff working in a security operations center are often called the SOC<br />
team.<ref name="exabeam">Exabeam, "CSIRT". Available: https://www.exabeam.com/incident-response/csirt/ [Accessed 28 APr 2022].</ref><br />
<br />
<p>Functions of the SOC team include, but are not limited to:<ref name="trellix">Trellix, "What Is a Security Operations Center (SOC)?". Available: https://www.trellix.com/en-us/security-awareness/operations/what-is-soc.html [Accessed 30 APr 2022].</ref></p><br />
<ol type="1"><br />
<li>Taking inventory of resources, to get a better understanding of the<br />
structure they are protecting.</li><br />
<li>Maintanence of the system, by constantly making updates and adding<br />
safeguards.</li><br />
<li>Monitoring the network for abnormalities with special tools.</li><br />
<li>Threat analysis of new attacks and vulnerabilities.</li><br />
<li>Responding to attacks, by acting as “first responders”. The SOC team<br />
will shut down and/or isolate endpoints, deleting files and lowering the<br />
impact as fast as possible.</li><br />
<li>Recovery of system stability and lost data. This may be done using<br />
backups, restarting endpoints or reconfiguring systems.</li><br />
<li>Logging all actions on the system, to be later used for analysis or<br />
forensics after an attack.</li><br />
<li>Investigating the root cause of an attack.</li><br />
<li>Auditing their own actions, to be in line with regulations of the<br />
organization, industry or governing body.</li><br />
</ol><br />
<br />
==CSIRT==<br />
<p>A CSIRT is a group that responds to security incidents when they<br />
occur. Key responsibilities of a CSIRT include:<br />
<ref name="exabeam"></ref><br />
===Creating and maintaining an incident response plan (IRP)===<br />
An incident response plan (IRP) is a set of written instructions for<br />
detecting, responding to and limiting the effects of an information<br />
security event. Incident response plans provide instructions for<br />
responding to many potential scenarios, including data breaches, denial<br />
of service/distributed denial of service attacks, firewall breaches,<br />
virus or malware outbreaks or insider threats. Without an incident<br />
response plan in place, organizations may either not detect the attack<br />
in the first place, or not follow proper protocol to contain the threat<br />
and recover from it when a breach is detected.<br />
<br />
https://www.stratacore.com/incidentresponseplan<br />
===Investigating and analyzing incidents===<br />
CSIRTs are also involved in improvement activities. After major<br />
computer security incidents occur, or when incidents are not handled in<br />
a timely or effective manner, a CSIRT will generally perform a<br />
postmortem of the incident and its response. This postmortem will<br />
identify the strengths and weakness of the response effort. Such reviews<br />
can identify weaknesses and holes in systems, infrastructure defenses,<br />
or policies that allowed the incident to take place. It can also<br />
identify problems with communication channels, interfaces, and<br />
procedures that inhibited the efficient resolution of the reported<br />
problem.<br />
<p>https://www.cisa.gov/uscert/bsi/articles/best-practices/incident-management/defining-computer-security-incident-response-teams</p><br />
<br />
===Managing internal communications and updates during or immediately after incidents occur===<br />
===Communicating with employees, shareholders, customers, and the press about incidents as needed===<br />
<p>There are various services within the CSIRT Services Framework that<br />
address communications, as they relate to security operations and<br />
incident response services. Some of these include Information Security<br />
Incident Coordination, Crisis Management Support, Vulnerability<br />
Disclosure, Situational Awareness Communication, and Awareness Building,<br />
to name a few. Sharing information and communicating with the general<br />
public and/or your constituency is appropriate in many different<br />
scenarios. These can range from proactive communications to reactive<br />
communications. Each scenario may be unique, and careful consideration<br />
should be given to when to release information to the public and what<br />
information should be released.</p><br />
<br />
<p>https://resources.sei.cmu.edu/asset_files/Handbook/2021_002_001_651819.pdf</p><br />
<br />
===Remediating incidents===<br />
Threat remediation is a strong and capable tool for fighting the<br />
cyber security compromises. As the word ‘remedy’ suggests, remediation<br />
process involves the treatment of a security breach. With the<br />
remediation practices, your cyber security team is able to eliminate<br />
suspicious activities and malicious attacks in the form of malware,<br />
ransomware, phishing and such. Even if you ‘kill’ the suspicious<br />
activity, the attackers can remain in your systems. If you want to<br />
contaminate and end the problem for good, your remediation processes<br />
must involve the detection of the cause. <ref name="logsign">Logsign, "What-is-remediation-in-cyber-security". Available: https://www.logsign.com/blog/what-is-remediation-in-cyber-security/. [Accessed 28 Apr 2022].</ref><br />
<br />
===Recommending technology, policy, governance, and training changes after security incidents===<br />
After all these actions, the SCIRT must contribute to the development<br />
of better policies, practices and has to recommend improvements. They<br />
are not working in the vacuum and their work has to create new and<br />
better standards for cyber security. <ref name="exabeam">Exabeam, "CSIRT". Available: https://www.exabeam.com/incident-response/csirt/ [Accessed 28 APr 2022].</ref><br />
<br />
==CERT==<br />
<p>The term “computer emergency response team” was coined in 1988. In<br />
response to the Morris worm attack that impacted thousands of servers on<br />
the Internet, DARPA funded the formation of the Computer Emergency<br />
Response Team Coordination Center (CERT-CC) at Carnegie Mellon<br />
University. The goal of CERT-CC was to help protect the internet by<br />
collecting and disseminating information on critical security<br />
vulnerabilities. Several other countries formed similar centers using<br />
the same acronym (despite threats of legal action by Carnegie Mellon for<br />
trademark infringement). Now the term CERT refers to any emergency<br />
response team that deals with cyber threats. Many people use CERT-CC<br />
interchangeably with CSIRT, though the charter of a CERT is information<br />
sharing in order to help other response teams respond to threats against<br />
their own infrastructure.</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<p>In general, the designation of CERT is helpful in applying real-world<br />
solutions to various cybersecurity problems. They may be government<br />
contractors or employees of a major corporation. For example, the U.S.<br />
Computer Emergency Readiness Team (US-CERT) operates under the U.S.<br />
Department of Homeland Security.</p><br />
<p>https://www.techopedia.com/definition/31003/computer-emergency-response-team-cert</p><br />
<p>In Estonia CERT is designated as CERT-EE. It was established in 2006,<br />
as an organization responsible for the management of security incidents<br />
in .ee computer networks. It is also a national contact point for<br />
international co-operation in the field of IT security.</p><br />
<p>https://www.ria.ee/en/cyber-security/cert-ee.html</p><br />
==Difference between SOC/CSIRT/CERT==<br />
[[File:analystimage3.png|300px|thumb|SOC/CSIRT/CERT <ref name="exabeam></ref>]]<br />
How CSIRTs differ from CERTs and SOCs. There are overlapping<br />
responsibilities between a community emergency response team (CERT),<br />
computer security incident response team (CSIRT), and security<br />
operations center (SOC). To add to this confusion, frequently, the terms<br />
CERT and CSIRT are used interchangeably, despite the important<br />
differences.<br />
<br />
==Understand the primary roles and characteristics of a CERT, CSIRT, and SOC.==<br />
[[File:analystimage4.png|300px|thumb|Primary Roles of CERT, CSIRT, and SOC<ref name="exabeam></ref>]]<br />
<p>So, using strict definitions, a CERT collects and disseminates<br />
security information, typically for the benefit of a country or an<br />
industry. A CSIRT is a cross-functional team that responds to incidents<br />
on behalf of a country or an organization. A SOC is where a country or<br />
organization monitors and defends its network, servers, applications,<br />
and endpoints.</p><br />
<br />
==Future==<br />
<p>And the Cyber security problem is only getting bigger. According to a<br />
report published by Accenture, the number of cyber security breaches<br />
increased by 11 percent from 2017 to 2018. The cost of such breaches is<br />
astronomical–about $600 billion worldwide, according to the Economic<br />
Impact of Cybercrime report.</p><br />
<p>https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me</p><br />
<p>Job projections for cybersecurity are staggering. The Bureau of Labor<br />
Statistics in US predicts that careers in the cybersecurity field will<br />
grow by 32% by 2028. That makes cybersecurity one of the top 10<br />
fastest-growing jobs in the country. In the United States alone, jobs<br />
for Information Security Analysts are expected to grow by 15% by<br />
2024.</p><br />
<p>https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</p><br />
<p>Most likely this trend is also similar in other countries.</p><br />
<p>When checking Estonian job portals, there is a constant need for<br />
people for cyber security related positions. Also, linkedin search gives<br />
approximately 30 vacancies immediately. There are banks, logistics<br />
companies, e-shops, and software producers.</p><br />
<p>https://ee.linkedin.com/jobs/cyber-security-jobs?countryRedirected=1&amp;position=1&amp;pageNum=0</p><br />
<p>Trends that affect companies create need for constant cyber security<br />
services. Increasing number of home/remote offices require secure<br />
corporate networks and security of remote devices. One example is from<br />
this year, when sloppy remote desktop set-up paralyzed systems of 17<br />
companies.</p><br />
<p>https://www.aripaev.ee/uudised/2022/04/20/ria-lohakas-kaugtoolaua-seadistus-halvas-martsis-vahemalt-17-juhul-ettevotete-it-susteemid</p><br />
<p>Also, no service can exists without robust infrastructure - servers,<br />
databases, applications. As all previously mentioned devices and<br />
services are at constant scanning and surveillance. So, the breach<br />
detection and immediate action demands 24/7 services. Even if lot of<br />
things could be automated, there is a need for human specialists (at<br />
least, at the moment). Third growing field is also a forensic<br />
investigation, as every attack must be investigated in order to be ready<br />
to repel next attacks. So data recovery and evidence collection is<br />
another important field of work that need skilled and professional<br />
workers.</p><br />
<p>Even, if the specifics of the entity, be it CSIRT, CERT or SOC, are<br />
different, the fundamentals of the work are the same. Professional<br />
knowledge of the networks, operational systems, hardware, scripting, and<br />
several other wider IT related knowledge is needed. As there is no<br />
single way to reach to it, every single person can find one’s strongest<br />
sides and develop them with knowledge of weaker side, in order to know,<br />
when to as for help.</p><br />
<br />
</body><br />
</html></div>Mavaldhttps://wiki.itcollege.ee/index.php?title=Hiring_a_Cyber_Security_Incident_Analyst&diff=142248Hiring a Cyber Security Incident Analyst2022-05-01T15:58:47Z<p>Mavald: /* Difference between SOC/CSIRT/CERT */</p>
<hr />
<div>==A Cyber Security Incident Analyst==<br />
<br />
[[File:image1.png|600px|thumb|Job advertisement <ref>"Job Advertisement". Available at https://www.projectpeople.com/jobs/</ref>]]<br />
===Cyber security incident analyst in SOC/CSIRT/CERT===<br />
This article delves into the job title of Cyber Security Incident<br />
Analyst and provides an overview of the acronyms SOC/CSIRT/CERT. A brief<br />
history of the job is discussed here, as well as a possible career path,<br />
education, experience, and other characteristics required for work in<br />
computer security-related organizations. The article also provides a<br />
brief history of SOC/CSIRT/CERT, as well as a comparison of their<br />
differences and similarities.<br />
===Cyber Security Incident Analyst Skill Set===<br />
What skill set is expected from the Cyber Security Incident Analyst? Below written lines are taken from the same job advertisement depicted<br />
on the left side of this article:<br />
As a Security Incident Analyst your responsibilities will include:<br />
<ul><br />
<li>Continuous monitoring of security tooling</li><br />
<li>Performing regular and ad-hoc vulnerability assessments</li><br />
<li>Carrying out ‘spot checks’</li><br />
<li>Reporting vulnerabilities to the PVG via the alerts system</li><br />
<li>Maintaining and documenting logging systems</li><br />
<li>Developing centralized logging, reporting and intelligence<br />
platforms</li><br />
<li>‘Light touch’ penetration testing with open source tooling<br />
(Metasploit)</li><br />
</ul><br />
Knowledge &amp; Experience required:<br />
<ul><br />
<li>SOC, CSIRT or CERT operational environment experience</li><br />
<li>Windows / Linux experience</li><br />
<li>TCP /IP networking protocol knowledge</li><br />
<li>Experience reviewing and analyzing Security Events from various<br />
monitoring and logging sources</li><br />
<li>Experience in website and web application security assessment or<br />
penetration testing</li><br />
<li>Experience of using Metasploit</li><br />
<li>Scripting knowledge using BASH, Python, Perl, Ruby</li><br />
<li>Skills in Host and Network Forensics</li><br />
</ul><br />
As one can see the description of the duties is wide and also the<br />
knowledge and experience that is required is noteworthy. So, where to<br />
start to find out the way to get this kind of knowledge and<br />
expertize.<br />
===Possible career path===<br />
Next part of the paper is aiming to depict a possible ways, how to<br />
develop oneself, and move along the career pathway in cybersecurity<br />
field. Topics of development, education, experience and certification<br />
are covered.<br />
[[File:analystimage2.png|1000px|thumb|Career path <ref>"Possible Career Path". Available at https://www.cyberseek.org/pathway.html</ref>]]<br />
<br />
===Junior/Senior===<br />
Start with an entry-level job in IT. Hands-on experience is often the<br />
most effective way to prepare for certification exams. Start<br />
accumulating work experience with an entry-level role as a cybersecurity<br />
analyst. Many cybersecurity professionals start off in more general IT<br />
roles. The skills, practices, and technologies you’ll use as a<br />
cybersecurity professional will continue to evolve along with computer<br />
and network technology. The desire to learn, ability to problem solve,<br />
and attention to detail will serve you well in this field. Other, more<br />
technical skills and technologies to learn include:<ref name="certification">Popular Cyber Security Certificates [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications [Accessed 25 April 2022].</ref><br />
<br />
====SIEM tools (security information and event management)====<br />
Security Information and Event Management (SIEM) is a set of tools<br />
and services offering a holistic view of an organization’s information<br />
security. SIEM works by combining two technologies:<br />
<li>Security information management (SIM), which collects data from log<br />
files for analysis and reports on security threats and events, and</li><br />
<li>security event management (SEM), which conducts real-time system<br />
monitoring, notifies network admins about important issues and<br />
establishes correlations between security events. There are a number of<br />
security information and event management solutions on the market.<br />
ArcSight ESM, IBM QRadar and Splunk are among the most popular. <ref name="SIEM">Application security, SIEM [Online]. Available: https://www.imperva.com/learn/application-security/siem/. [Accessed 27 4 2022].</ref></li><br />
<br />
====Firewalls, Intrusion Detection Systems (IDS), and Intrusion Prevention Systems(IPS)====<br />
Firewalls can be two types, hardware and software firewalls. Software<br />
firewall is a firewall that is installed on a computer or server, and<br />
tasked with network security. It works with a wide variety of other<br />
technology security solutions to provide more robust and cohesive<br />
security for enterprises of all sizes. When a software firewall is<br />
installed on a server, it opens up like an umbrella of protection over<br />
all other computers connected to the network. It is able to monitor both<br />
incoming and outgoing traffic for potential risk or suspicious user<br />
behavior, and also makes setting security policies much easier, faster<br />
and more flexible. Hardware firewall is positioned between the network<br />
and devices, allowing traffic to funnel through the firewall for a close<br />
inspection and analysis. A hardware firewall, a term often<br />
interchangeable with network or next-generation firewall, protects the<br />
network gateways for an enterprise. Hardware firewall is physical<br />
hardware, installed between network elements and connected devices, and<br />
is tasked with filtering traffic for cyber threat to the network or<br />
devices. Filtering out unauthorized or suspicious users based on traffic<br />
analysis is one of the biggest benefits of hardware firewall. <ref name="sangfor">Sangfor, "What is Software Firewall? Difference between Hardware Firewall and Software Firewall, [Online]. Available: https://www.sangfor.com/blog/cybersecurity/what-is-software-firewall-difference-between-hardware-firewall-and-software-firewall [Accessed 26 4 2022].</ref><br />
<br />
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems<br />
(IPS) are both parts of the network infrastructure. IDS/IPS compare<br />
network packets to a cyberthreat database containing known signatures of<br />
cyberattacks — and flag any matching packets. IDS doesn’t alter the<br />
network packets in any way, whereas IPS prevents the packet from<br />
delivery based on the contents of the packet, much like how a firewall<br />
prevents traffic by IP address. <ref name="Varonis">Varonis, "What is Software Firewall? IDS vs. IPS: What is the Difference?, [Online]. Available: https://www.varonis.com/blog/ids-vs-ips [Accessed 26 4 2022].</ref><br />
<br />
====Digital forensics====<br />
Digital forensics is a branch of forensic science that focuses on<br />
identifying, acquiring, processing, analyzing, and reporting on data<br />
stored electronically. Electronic evidence is a component of almost all<br />
criminal activities and digital forensics support is crucial for law<br />
enforcement investigations. Electronic evidence can be collected from a<br />
wide array of sources, such as computers, smartphones, remote storage,<br />
unmanned aerial systems, shipborne equipment, and more.<ref name="interpol">Interpol, "Digital forensics". Available: https://www.interpol.int/How-we-work/Innovation/Digital-forensics. [Accessed 28 4 2022].</ref> <br />
Investigative process of digital forensics can be divided into several stages. There are four major stages: preservation, collection,<br />
examination, and analysis. All these four stages need a deep understanding of computers, technology across a broad spectrum, and cybersecurity principles and<br />
practices, a working knowledge of computers, networks, and coding, in-depth investigative abilities, critical-thinking skills and analytical talent the ability to effectively communicate and work with a<br />
wide range of people. <ref name="ecpi">"Digital forensics". Available: https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me. [Accessed 26 4 2022].</ref><br />
<br />
====Mobile device management====<br />
Mobile device management (MDM) is software that allows IT<br />
administrators to control, secure and enforce policies on smartphones,<br />
tablets and other endpoints. Mobile device management software emerged<br />
in the early 2000s as a way to control and secure the personal digital<br />
assistants and smartphones that business workers began to use. The<br />
consumer smartphone boom that started with the launch of the Apple<br />
iPhone in 2007 led to the bring your own device (BYOD) trend, which<br />
fueled further interest in MDM.<ref name="techtarget">Techtarget, "Mobile Device Management". Available: https://www.techtarget.com/searchmobilecomputing/definition/mobile-device-management [Accessed 27 4 2022].</ref><br />
<br />
====Data management====<br />
Sometimes the data management is neglected, but this part has a<br />
crucial role when learning for good cyber security practices. Majority<br />
of cyber security programs include a special courses on data management.<br />
Data management is a method of organizing and maintaining data processes<br />
that are required in almost every business operations. The benefits of<br />
data management can be found accounting, statistics, logistics planning<br />
and other disciplines including corporate computing.<ref name="GlobalUni">Global Universities, "MSc Data Management and Cyber Security". Available: https://globaluniversities.in/msc-data-management-cyber-security. [Accessed 26 Apr 2022].</ref><br />
Data governance (and management) play a fundamental role in<br />
protecting an organization’s data. Ensuring that the right people have<br />
the right access and that appropriate security controls are in place to<br />
protect each system or service, based on the criticality or sensitivity<br />
of the data sets these contain. <ref name="CyberMagazine">Cyber Security Magazine, "The Role of Data Governance in Cybersecurity". Available: https://cybersecurity-magazine.com/the-role-of-data-governance-in-cybersecurity/?utm_source=rss&amp;utm_medium=rss&amp;utm_campaign=the-role-of-data-governance-in-cybersecurity. [Accessed 26 Apr 2022].</ref><br />
<br />
====Application security development====<br />
Application security describes security measures at the application<br />
level that aim to prevent data or code within the app from being stolen<br />
or hijacked. It encompasses the security considerations that happen<br />
during application development and design, but it also involves systems<br />
and approaches to protect apps after they get deployed. Application<br />
security may include hardware, software, and procedures that identify or<br />
minimize security vulnerabilities.<ref name="vmware">VmWare, "What is application security?". Available: https://www.vmware.com/topics/glossary/content/application-security.html [Accessed 28 April 2022].</ref><br />
Application security development is important to ensure that your<br />
application is free from coding errors and bugs. And controls the risk<br />
and helps safeguard against security vulnerabilities. Application<br />
security development is the process of making applications more secure<br />
by finding and fixing security vulnerabilities. This is often done by<br />
enforcing software security best practices and using application<br />
security testing tools. <br />
<ref name="perforce">Perforce, "Application Security Development Best Practices". Available: https://www.perforce.com/blog/kw/application-security-development-best-practices. [Accessed 28 April 2022].</ref><br />
<br />
====Audit and compliance knowledge====<br />
A cyber security audit is designed to be a comprehensive review and<br />
analysis of your business’s IT infrastructure. It identifies threats and<br />
vulnerabilities, exposing weaknesses and high-risk practices.<br />
Regulations such as the EU GDPR (General Data Protection Regulation) can<br />
impose hefty penalties in the event of a breach that results in<br />
exploited data. A cyber security audit will help mitigate the<br />
consequences of a breach and demonstrate that your organization has<br />
taken the necessary steps to protect client and company data. <ref name="cyforsecure">Cyfor Secure, "What is a Cyber Security Audit and how can it help your organisation?". Available: https://cyforsecure.co.uk/services/cyber-assessment/cyber-security-audit/. [Accessed 28 April 2022].</ref><br />
<br />
Cybersecurity compliance is the organizational risk management method<br />
aligned with pre-defined security measures &amp; controls on how data<br />
confidentiality is ensured by its administrative procedures.<ref name="nordlayer">NordLayer, "Cybersecurity compliance: Everything you need to know". Available: https://nordlayer.com/blog/cybersecurity-compliance-everything-you-need-to-know/. [Accessed 28 April 2022].</ref><br />
All needed skills are developed through courses and certification.<br />
<br />
===Entry-Level Incident Response Positions===<br />
It is not always possible to advance to the position of incident<br />
responder in a straight line. Many professionals advance from entry- to<br />
mid-level positions before becoming a real incident responder or a<br />
member of a computer emergency response team (CERT).<br /><br />
These are some examples: <ref name="Infosec">Infosec, "Incident Responder Career Roadmap: From Entry Level to Executive". Available: https://resources.infosecinstitute.com/topic/incident-responder-career-roadmap-entry-level-executive/ [Accessed 28 April 2022].</ref></p><br />
<ul><br />
<li><h5 id="network-administrator">Network administrator</h5><br />
<p>This position’s experience will help potential incident responders<br />
develop networking skills. Attention to detail, as well as the ability<br />
to sift through system configurations, site layouts, and general network<br />
and communication setups, are essential in this field.</p></li><br />
<li><h5 id="system-administrator">System administrator</h5><br />
<p>Another crucial beginning point for an incident responder is to learn<br />
how to manage resources inside your organization as well as user<br />
behavior. Understanding the potential damage that users, inadequate<br />
security setups, and ineffective IT policies and procedures can cause on<br />
your network can provide prospective candidates with insight into the<br />
human component of an incident.</p></li><br />
<li><h5 id="security-administrator">Security administrator</h5><br />
<p>In such a position, basic hacking skills, penetration testing, and<br />
intrusion detection are all learned, which are crucial incident<br />
responder skills when trying to replicate a breach or attack.<br />
Understanding the paths a cybercriminal will take when attempting to<br />
damage or obtain access to a system can greatly simplify the work of<br />
reverse engineering the incident.</p></li><br />
</ul><br />
<br />
=== Mid-Level Incident Response Positions ===<br />
<ul><br />
<li><h5<br />
id="computer-security-incident-response-team-csirt-engineer">Computer<br />
security incident response team (CSIRT) engineer</h5></li><br />
<li><h5 id="cyber-incident-responder">Cyber incident responder</h5></li><br />
<li><h5 id="incident-response-engineer">Incident response<br />
engineer</h5></li><br />
</ul><br />
<p>While each of these positions is different, they generally require<br />
very similar skills and characteristics in a candidate. At this level,<br />
personal characteristics such as problem solving, time management, and<br />
even presentation skills become more crucial as one’s career evolves<br />
into a management-facing role.</p><br />
<p>Technical skills include the ability to identify and minimize threats<br />
while maintaining communication with management and the rest of your<br />
team. Data analysis and evidence gathering become increasingly crucial,<br />
and the circumstances in which your services are deployed get more<br />
serious.</p><br />
Problem-solving skills are crucial at this level of incident<br />
response, and as the stakes rise, so does the pressure in each<br />
situation. At this level, programming abilities are essential since<br />
incident responders may be needed to reverse engineer malicious code or<br />
even create patches for vulnerable network applications or services. <ref name="coursera">Coursera, "10 Popular Cybersecurity Certifications [2022 Updated]". Available: https://www.coursera.org/articles/popular-cybersecurity-certifications [Accessed 28 April 2022].</ref><br />
<br />
===Senior-Level Incident Response Positions===<br />
<ul><br />
<li><h5 id="intrusion-detection-specialist">Intrusion detection<br />
specialist:</h5></li><br />
</ul><br />
<p>A CISSP certification might help a potential candidate in preparing<br />
for the profession. The role of an intrusion detection specialist is to<br />
find and stop any unwanted communications.</p><br />
<ul><br />
<li><h5 id="incident-manager">Incident manager:</h5></li><br />
</ul><br />
Expected to plan, oversee, manage, and supervise all incident<br />
response team actions. Is in charge of reporting all current events to<br />
senior management and stakeholders, as well as acting as the technical<br />
lead on active incidents for incident responders. Prepares threat and<br />
impact assessments and reports them known to management.<ref name="coursera"></ref><br />
<br />
==Certificates== <br />
There is a vast number of different certificates and the road map to<br />
being a certified professional could be very different<ref name="Coursera">Coursera, "10 Popular Cybersecurity Certifications [2022 Updated]," [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications. [Accessed 30 Apr 2022].</ref><br />
<ref name="NICCS">NICCS, "Cybersecurity Certifications," [Online]. Available: hhttps://niccs.cisa.gov/about-niccs/cybersecurity-certifications. [Accessed 30 Apr 2022].</ref> . One possible<br />
approach is to start with basic certificates from the different branches<br />
of service and move to more specific and demanding focused<br />
certification. Also, some jobs require certain clearances, either from<br />
industry, or from the government. One small selection of different<br />
possible certificates is brought out in following paragraphs.<br />
<br />
Security+ is a CompTIA certification that is considered a basic cert<br />
among cybersecurity professionals. It covers the topics of risk<br />
management and threat assessment.<br />
Network+ is also offered by CompTIA this certification (like the name<br />
implies) focuses on networking infrastructure and operations. It is<br />
considered a foundational certification.<br />
The Certified Information Systems Security Professional (CISSP) is a<br />
more advanced certification designed for cybersecurity professionals<br />
with at least five years of work experience. The certification covers<br />
topics such as architecture, engineering, and management.</p><br />
The Certified Ethical Hacker (CEH) certification is also considered a<br />
more advanced cert because it generally requires that applicants have<br />
multiple years of work experience. The goal of an ethical hacker<br />
certification is to be able to understand how cyber attacks unfold in<br />
order to improve threat assessment and mitigation skills.<ref name="cyberguide">Cybersecurity Guide, "How to become a cybersecurity specialist", [Online]. Available: https://cybersecurityguide.org/careers/security-specialist/. [Accessed 27 April 2022].</ref><br />
This is definitely not all, when one looks for more information, following link could be searched, to get more in depth knowledge about<br />
different possibilities.<br />
<br />
Hereby, with the help of this matrix a possible taxonomy of different 436 listed certificates in branches are<br />
presented.<ref name="Pauljeremy">"Cybersecurity Roadmap," [Online]. Available: https://pauljerimy.com/2020/10/12/scr-oct-2020-update/. [Accessed 30 Apr 2022].</ref><br />
<br />
[[File:analystimage5.png|1000px|thumb|Certificate matrix <ref>"Certification roadmap". Available at https://pauljerimy.com/security-certification-roadmap</ref>]]<br />
<br />
=== Communication and Network Security===<br />
Communication and network security covers the ability to secure<br />
communication channels and networks. Topics include secure and converges<br />
protocols, wireless networks, cellular networks, hardware operations<br />
(warranty and redundant power), and third-party connectivity. IP<br />
networking are also included in this domain.<br />
===Identity and Access Management===<br />
The identity and access management domain covers the attacks that<br />
target the human gateway to gain access to data. Other topics include<br />
ways to identify users with rights to access the information and<br />
servers. Identity and access management covers the topics of<br />
applications, Single sign-on authentication, privilege escalation,<br />
Kerberos, rule-based or risk-based access control, proofing and<br />
establishment of identity.<br />
===Security Architecture and Engineering===<br />
The security architecture and engineering domain covers important<br />
topics concerning security engineering plans, designs and principles,<br />
Topics include assessing and mitigating information system<br />
vulnerabilities, fundamental concepts of security models and security<br />
architectures in critical areas like access control. Cloud systems,<br />
cryptography, system infiltrations (ransomware, fault-injection and<br />
more) and virtualized systems are also covered in this domain.<br />
===Asset Security===<br />
The Asset Security domain deals with the issues related to the<br />
collection, storage, maintenance, retention and destruction of data. It<br />
also covers knowledge of different roles regarding data handling (owner,<br />
controller and custodian) as well as data protection methods and data<br />
states. Other topics include resource provision, asset classification<br />
and data lifecycle management.<br />
===Security and Risk Management===<br />
The security and risk management domain covers general on skills<br />
related to the implementation of user awareness programs as well as<br />
security procedures. Emphasis is also placed on risk management<br />
concerning the acquisition of new services, hardware and software<br />
(supply chain). Other skills include social engineering defense<br />
mechanisms.<br />
===Security Assessment and Testing===<br />
The security assessment and testing domain deals with all the<br />
techniques and tools used to find system vulnerabilities, weaknesses and<br />
potential areas of concern not addressed by security procedures and<br />
policies. Attack simulations, vulnerability assessment, compliance<br />
checks, and ethical disclosure also fall under this domain.<br />
===Software Security===<br />
The software development security domain deals with implementing<br />
software-based security protocols within environment for which the IT<br />
professional is responsible. Risk analysis, vulnerability identification<br />
and auditing of source codes are all covered in this subset. Additional<br />
topics include software-designed security, maturity models, development<br />
methodologies, open-source and third-party development security.<br />
===Security operations===<br />
The security operations domain covers topics ranging from<br />
investigations and digital forensic to detection and intrusion<br />
prevention tools, sandboxing and firewalls. Topics include user and<br />
entity behavior analytics, threat intelligence (threat hunting and<br />
threat feeds) log management, artifacts (mobile, computer and network),<br />
machine learning and AI-based tools, penetration testing, and<br />
exploitation development. These for sub-domains are lister here.</p><br />
<li>Forensics</li><br />
<li>Incident Handling</li><br />
<li>Penetration Testing</li><br />
<li>Exploitation</li><br />
<br />
==Education==<br />
[[File:Analystimage7.png|400px|thumb|Comparison degree vs Certificate <ref>"Comparison Table". Available at https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</ref>]]<br />
The entry level monitoring specialist is hired by Estonian<br />
Information System Authority even if there is no formal IT education,<br />
but readiness to learn and moderate knowledge of different operation<br />
systems is enough to start the career. <ref name="cv">cv.ee, "SEIRESPETSIALIST - tule Eesti küberruumi valvuriks!". Available: https://www.cv.ee/en/vacancy/792782/riigi-infosusteemi-amet/seirespetsialist-tule-eesti-kuberruumi-valvuriks [Accessed 28 April 2022].</ref><br />
Nevertheless, like most other high qualification careers jobs falling<br />
under the cybersecurity specialist category require some form of formal<br />
education. However, since cybersecurity specialist jobs can fall across<br />
a wide spectrum of job descriptions and responsibilities, it is possible<br />
to obtain a specialist job after completing many levels of different<br />
computer related education.<br />
<br />
If one is looking for a cybersecurity related education, for example<br />
in EU, 137 courses/programs could be found that relate to keyword IT or<br />
cybersecurity. <ref name="enisa">ENISA (European Union Agency for Cybersecurity), "Cybersecurity Education-Cybersecurity Higher Education Database". Available: https://www.enisa.europa.eu/topics/cybersecurity-education/education-map/education-courses [Accessed 26 April 2022].</ref><br />
<br />
Also, there is a great amount of discussion, if cyber security<br />
professional should have a degree or would be certification just enough.<br />
One interesting table is produces by Franklin University that compares<br />
benefits and/or drawbacks of each type of credential.<ref name="franklin">Franklin University, "Is Getting a Master's Degree in Cyber Security Worth It?". Available: https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it [Accessed 28 April 2022].</ref><br />
<br />
Certifications are generally good for people with little practical<br />
experience because they are known quantities in the industry and can<br />
help you get your foot in the door. They set a minimum knowledge bar.<br />
But some certifications are viewed more favorably than others.<br />
Certifications with renewal requirements are viewed better by hiring<br />
managers, but they also more costly in the long run because of the need<br />
for continuing education. Certifications are also good for showing<br />
in-depth expertise in a specialization within cybersecurity. Depending<br />
on your career goals, it may be advantageous to have a master’s<br />
degree—which shows your breadth of knowledge, critical thinking and<br />
leadership skills—and a certificate—which shows specific skill<br />
competency.<ref name="franklin"></ref><br />
As IT (Cyber) Security is still a relatively young discipline,<br />
universities and colleges are still figuring out which is the best<br />
approach for their degrees. Study programmes and curricula in Cyber<br />
Security are different. In general, here are the duration of Cyber<br />
Security degrees:<br />
<ref name="studyportal">Studyportals, "Why You Should Study a Cyber Security Degree in 2022". Available: https://www.mastersportal.com/articles/2722/why-you-should-study-a-cyber-security-degree-in-2022.html [Accessed 28 April 2022].</ref><br />
<ul><br />
<li><p>Bachelor’s degrees in Cyber Security take 3 or 4 years in most<br />
countries.</p></li><br />
<li><p>Master’s courses in Cyber Security take between 1-2 years to<br />
complete.</p></li><br />
<li><p>PhD programmes in Cyber Security last 3-5 years. Some only take 1<br />
or 2 years, but they are less common.</p><br />
</li><br />
</ul><br />
<br />
Generalization could me made that on bachelor level the general<br />
knowledge about the cyber issues are obtained. On master level the<br />
specialization courses are taken and the person can choose more specific<br />
topics to study. It is on master level where strengths of the cyber<br />
specialist can be developed further and up-do date knowledge obtained in<br />
specifics. PhD is serious science and involves teaching, lot of<br />
scientific work and writing for publications.<br />
<br />
==Salary==<br />
<p>Even if the salary can be very different, compared to the skills and<br />
experience, an generalization can be made. Cyber Security professionals<br />
in CSIRT, and in other entities earn quite well, from the start. First,<br />
some comparison from the United States. The average CSIRT analyst salary<br />
in the USA is $97,500 per year or $50 per hour. Entry level positions<br />
start at $48,875 per year while most experienced workers make up to<br />
$135,373 per year.<ref name="talent">talent.com, "Csirt Analyst average salary in USA 2022". Available: https://www.talent.com/salary?job=csirt+analyst [Accessed 28 April 2022].</ref><br />
<br />
There are multiple positions you can occupy in this field. They have<br />
in common great salaries and high demand for technical skills, attention<br />
to details, problem-solving mentality, and the ability to analyze risks.<br />
Here are the average annual salaries in the United States, according to<br />
Payscale: <ref name="studyportal"></ref><br />
<ul><br />
<li><p>Cryptographer – 100,000 USD</p></li><br />
<li><p>Information Security Officer – 91,000 USD</p></li><br />
<li><p>Security Assessor – 90,000 USD</p></li><br />
<li><p>Security Engineer – 88,000 USD</p></li><br />
<li><p>Penetration Tester – 81,000 USD</p></li><br />
<li><p>Forensics Expert – 71,000 USD</p></li><br />
<li><p>Security Administrator – 65,000 USD</p><br />
</ul><br />
When looking into salaries in Estonia, one can find that there is a<br />
discussion that private sector is taking a toll from the public sector,<br />
and that the salaries in important agencies, as Information System<br />
Authority loose their employees to the better paid positions in private<br />
sector.<ref name="digigeenius">DiGi Geenius, "Kui-palju-riigi-jaoks-olulised-it-tootajad-tegelikult-palka-saavad". Available: https://digi.geenius.ee/rubriik/uudis/kui-palju-riigi-jaoks-olulised-it-tootajad-tegelikult-palka-saavad/ [Accessed 28 April 2022].</ref><br />
<ref name="tehnika">Postimees, "Riigi-it-tootajate-palgamaarad-kasvasid". Available: https://tehnika.postimees.ee/6887428/riigi-it-tootajate-palgamaarad-kasvasid [Accessed 28 April 2022].</ref><br />
But there is also a different view that average private sector worker<br />
could be hired as a top specialist in public sector and then the payment<br />
is higher. Nevertheless, it seems that the average payment in cyber<br />
security sector is any way higher that in other parts of the<br />
e-services. <ref name="digigeenius2">DiGi Geenius, "5000-eurostest-palkadest-it-tootajad-saavadki-palju-palka". Available: https://digi.geenius.ee/rubriik/uudis/5000-eurostest-palkadest-it-tootajad-saavadki-palju-palka [Accessed 28 April 2022].</ref><br />
<br />
==SOC==<br />
<p>A SOC is a facility where an organization’s network, applications,<br />
and endpoints are monitored and defended. The term was adapted from<br />
network operations centers (NOCs), where large telecommunication or<br />
corporate networks are monitored. When network security became more of a<br />
concern, security teams were formed within the NOCs, and eventually spun<br />
off into larger organizations of their own as the responsibilities of<br />
security teams grew increasingly complex and specialized. The security<br />
staff working in a security operations center are often called the SOC<br />
team.<ref name="exabeam">Exabeam, "CSIRT". Available: https://www.exabeam.com/incident-response/csirt/ [Accessed 28 APr 2022].</ref><br />
<br />
<p>Functions of the SOC team include, but are not limited to:<ref name="trellix">Trellix, "What Is a Security Operations Center (SOC)?". Available: https://www.trellix.com/en-us/security-awareness/operations/what-is-soc.html [Accessed 30 APr 2022].</ref></p><br />
<ol type="1"><br />
<li>Taking inventory of resources, to get a better understanding of the<br />
structure they are protecting.</li><br />
<li>Maintanence of the system, by constantly making updates and adding<br />
safeguards.</li><br />
<li>Monitoring the network for abnormalities with special tools.</li><br />
<li>Threat analysis of new attacks and vulnerabilities.</li><br />
<li>Responding to attacks, by acting as “first responders”. The SOC team<br />
will shut down and/or isolate endpoints, deleting files and lowering the<br />
impact as fast as possible.</li><br />
<li>Recovery of system stability and lost data. This may be done using<br />
backups, restarting endpoints or reconfiguring systems.</li><br />
<li>Logging all actions on the system, to be later used for analysis or<br />
forensics after an attack.</li><br />
<li>Investigating the root cause of an attack.</li><br />
<li>Auditing their own actions, to be in line with regulations of the<br />
organization, industry or governing body.</li><br />
</ol><br />
<br />
==CSIRT==<br />
<p>A CSIRT is a group that responds to security incidents when they<br />
occur. Key responsibilities of a CSIRT include:<br />
<ref name="exabeam"></ref><br />
===Creating and maintaining an incident response plan (IRP)===<br />
An incident response plan (IRP) is a set of written instructions for<br />
detecting, responding to and limiting the effects of an information<br />
security event. Incident response plans provide instructions for<br />
responding to many potential scenarios, including data breaches, denial<br />
of service/distributed denial of service attacks, firewall breaches,<br />
virus or malware outbreaks or insider threats. Without an incident<br />
response plan in place, organizations may either not detect the attack<br />
in the first place, or not follow proper protocol to contain the threat<br />
and recover from it when a breach is detected.<br />
<br />
https://www.stratacore.com/incidentresponseplan<br />
===Investigating and analyzing incidents===<br />
CSIRTs are also involved in improvement activities. After major<br />
computer security incidents occur, or when incidents are not handled in<br />
a timely or effective manner, a CSIRT will generally perform a<br />
postmortem of the incident and its response. This postmortem will<br />
identify the strengths and weakness of the response effort. Such reviews<br />
can identify weaknesses and holes in systems, infrastructure defenses,<br />
or policies that allowed the incident to take place. It can also<br />
identify problems with communication channels, interfaces, and<br />
procedures that inhibited the efficient resolution of the reported<br />
problem.<br />
<p>https://www.cisa.gov/uscert/bsi/articles/best-practices/incident-management/defining-computer-security-incident-response-teams</p><br />
<br />
===Managing internal communications and updates during or immediately after incidents occur===<br />
===Communicating with employees, shareholders, customers, and the press about incidents as needed===<br />
<p>There are various services within the CSIRT Services Framework that<br />
address communications, as they relate to security operations and<br />
incident response services. Some of these include Information Security<br />
Incident Coordination, Crisis Management Support, Vulnerability<br />
Disclosure, Situational Awareness Communication, and Awareness Building,<br />
to name a few. Sharing information and communicating with the general<br />
public and/or your constituency is appropriate in many different<br />
scenarios. These can range from proactive communications to reactive<br />
communications. Each scenario may be unique, and careful consideration<br />
should be given to when to release information to the public and what<br />
information should be released.</p><br />
<br />
<p>https://resources.sei.cmu.edu/asset_files/Handbook/2021_002_001_651819.pdf</p><br />
<br />
===Remediating incidents===<br />
Threat remediation is a strong and capable tool for fighting the<br />
cyber security compromises. As the word ‘remedy’ suggests, remediation<br />
process involves the treatment of a security breach. With the<br />
remediation practices, your cyber security team is able to eliminate<br />
suspicious activities and malicious attacks in the form of malware,<br />
ransomware, phishing and such. Even if you ‘kill’ the suspicious<br />
activity, the attackers can remain in your systems. If you want to<br />
contaminate and end the problem for good, your remediation processes<br />
must involve the detection of the cause. <ref name="logsign">Logsign, "What-is-remediation-in-cyber-security". Available: https://www.logsign.com/blog/what-is-remediation-in-cyber-security/. [Accessed 28 Apr 2022].</ref><br />
<br />
===Recommending technology, policy, governance, and training changes after security incidents===<br />
After all these actions, the SCIRT must contribute to the development<br />
of better policies, practices and has to recommend improvements. They<br />
are not working in the vacuum and their work has to create new and<br />
better standards for cyber security. <ref name="exabeam">Exabeam, "CSIRT". Available: https://www.exabeam.com/incident-response/csirt/ [Accessed 28 APr 2022].</ref><br />
<br />
==CERT==<br />
<p>The term “computer emergency response team” was coined in 1988. In<br />
response to the Morris worm attack that impacted thousands of servers on<br />
the Internet, DARPA funded the formation of the Computer Emergency<br />
Response Team Coordination Center (CERT-CC) at Carnegie Mellon<br />
University. The goal of CERT-CC was to help protect the internet by<br />
collecting and disseminating information on critical security<br />
vulnerabilities. Several other countries formed similar centers using<br />
the same acronym (despite threats of legal action by Carnegie Mellon for<br />
trademark infringement). Now the term CERT refers to any emergency<br />
response team that deals with cyber threats. Many people use CERT-CC<br />
interchangeably with CSIRT, though the charter of a CERT is information<br />
sharing in order to help other response teams respond to threats against<br />
their own infrastructure.</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<p>In general, the designation of CERT is helpful in applying real-world<br />
solutions to various cybersecurity problems. They may be government<br />
contractors or employees of a major corporation. For example, the U.S.<br />
Computer Emergency Readiness Team (US-CERT) operates under the U.S.<br />
Department of Homeland Security.</p><br />
<p>https://www.techopedia.com/definition/31003/computer-emergency-response-team-cert</p><br />
<p>In Estonia CERT is designated as CERT-EE. It was established in 2006,<br />
as an organization responsible for the management of security incidents<br />
in .ee computer networks. It is also a national contact point for<br />
international co-operation in the field of IT security.</p><br />
<p>https://www.ria.ee/en/cyber-security/cert-ee.html</p><br />
==Difference between SOC/CSIRT/CERT==<br />
[[File:analystimage3.png|300px|thumb|SOC/CSIRT/CERT <ref name="exabeam></ref>]]<br />
How CSIRTs differ from CERTs and SOCs. There are overlapping<br />
responsibilities between a community emergency response team (CERT),<br />
computer security incident response team (CSIRT), and security<br />
operations center (SOC). To add to this confusion, frequently, the terms<br />
CERT and CSIRT are used interchangeably, despite the important<br />
differences.<br />
<br />
==Understand the primary roles and characteristics of a CERT, CSIRT, and SOC.==<br />
<p>So, using strict definitions, a CERT collects and disseminates<br />
security information, typically for the benefit of a country or an<br />
industry. A CSIRT is a cross-functional team that responds to incidents<br />
on behalf of a country or an organization. A SOC is where a country or<br />
organization monitors and defends its network, servers, applications,<br />
and endpoints.</p><br />
<figure><br />
<img src="images/image4.png" alt="table of explanation images/image4" /><br />
<figcaption aria-hidden="true">table of explanation<br />
images/image4</figcaption><br />
</figure><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
==Future==<br />
<p>And the Cyber security problem is only getting bigger. According to a<br />
report published by Accenture, the number of cyber security breaches<br />
increased by 11 percent from 2017 to 2018. The cost of such breaches is<br />
astronomical–about $600 billion worldwide, according to the Economic<br />
Impact of Cybercrime report.</p><br />
<p>https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me</p><br />
<p>Job projections for cybersecurity are staggering. The Bureau of Labor<br />
Statistics in US predicts that careers in the cybersecurity field will<br />
grow by 32% by 2028. That makes cybersecurity one of the top 10<br />
fastest-growing jobs in the country. In the United States alone, jobs<br />
for Information Security Analysts are expected to grow by 15% by<br />
2024.</p><br />
<p>https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</p><br />
<p>Most likely this trend is also similar in other countries.</p><br />
<p>When checking Estonian job portals, there is a constant need for<br />
people for cyber security related positions. Also, linkedin search gives<br />
approximately 30 vacancies immediately. There are banks, logistics<br />
companies, e-shops, and software producers.</p><br />
<p>https://ee.linkedin.com/jobs/cyber-security-jobs?countryRedirected=1&amp;position=1&amp;pageNum=0</p><br />
<p>Trends that affect companies create need for constant cyber security<br />
services. Increasing number of home/remote offices require secure<br />
corporate networks and security of remote devices. One example is from<br />
this year, when sloppy remote desktop set-up paralyzed systems of 17<br />
companies.</p><br />
<p>https://www.aripaev.ee/uudised/2022/04/20/ria-lohakas-kaugtoolaua-seadistus-halvas-martsis-vahemalt-17-juhul-ettevotete-it-susteemid</p><br />
<p>Also, no service can exists without robust infrastructure - servers,<br />
databases, applications. As all previously mentioned devices and<br />
services are at constant scanning and surveillance. So, the breach<br />
detection and immediate action demands 24/7 services. Even if lot of<br />
things could be automated, there is a need for human specialists (at<br />
least, at the moment). Third growing field is also a forensic<br />
investigation, as every attack must be investigated in order to be ready<br />
to repel next attacks. So data recovery and evidence collection is<br />
another important field of work that need skilled and professional<br />
workers.</p><br />
<p>Even, if the specifics of the entity, be it CSIRT, CERT or SOC, are<br />
different, the fundamentals of the work are the same. Professional<br />
knowledge of the networks, operational systems, hardware, scripting, and<br />
several other wider IT related knowledge is needed. As there is no<br />
single way to reach to it, every single person can find one’s strongest<br />
sides and develop them with knowledge of weaker side, in order to know,<br />
when to as for help.</p><br />
<br />
</body><br />
</html></div>Mavaldhttps://wiki.itcollege.ee/index.php?title=Hiring_a_Cyber_Security_Incident_Analyst&diff=142243Hiring a Cyber Security Incident Analyst2022-05-01T15:57:58Z<p>Mavald: /* Difference between SOC/CSIRT/CERT */</p>
<hr />
<div>==A Cyber Security Incident Analyst==<br />
<br />
[[File:image1.png|600px|thumb|Job advertisement <ref>"Job Advertisement". Available at https://www.projectpeople.com/jobs/</ref>]]<br />
===Cyber security incident analyst in SOC/CSIRT/CERT===<br />
This article delves into the job title of Cyber Security Incident<br />
Analyst and provides an overview of the acronyms SOC/CSIRT/CERT. A brief<br />
history of the job is discussed here, as well as a possible career path,<br />
education, experience, and other characteristics required for work in<br />
computer security-related organizations. The article also provides a<br />
brief history of SOC/CSIRT/CERT, as well as a comparison of their<br />
differences and similarities.<br />
===Cyber Security Incident Analyst Skill Set===<br />
What skill set is expected from the Cyber Security Incident Analyst? Below written lines are taken from the same job advertisement depicted<br />
on the left side of this article:<br />
As a Security Incident Analyst your responsibilities will include:<br />
<ul><br />
<li>Continuous monitoring of security tooling</li><br />
<li>Performing regular and ad-hoc vulnerability assessments</li><br />
<li>Carrying out ‘spot checks’</li><br />
<li>Reporting vulnerabilities to the PVG via the alerts system</li><br />
<li>Maintaining and documenting logging systems</li><br />
<li>Developing centralized logging, reporting and intelligence<br />
platforms</li><br />
<li>‘Light touch’ penetration testing with open source tooling<br />
(Metasploit)</li><br />
</ul><br />
Knowledge &amp; Experience required:<br />
<ul><br />
<li>SOC, CSIRT or CERT operational environment experience</li><br />
<li>Windows / Linux experience</li><br />
<li>TCP /IP networking protocol knowledge</li><br />
<li>Experience reviewing and analyzing Security Events from various<br />
monitoring and logging sources</li><br />
<li>Experience in website and web application security assessment or<br />
penetration testing</li><br />
<li>Experience of using Metasploit</li><br />
<li>Scripting knowledge using BASH, Python, Perl, Ruby</li><br />
<li>Skills in Host and Network Forensics</li><br />
</ul><br />
As one can see the description of the duties is wide and also the<br />
knowledge and experience that is required is noteworthy. So, where to<br />
start to find out the way to get this kind of knowledge and<br />
expertize.<br />
===Possible career path===<br />
Next part of the paper is aiming to depict a possible ways, how to<br />
develop oneself, and move along the career pathway in cybersecurity<br />
field. Topics of development, education, experience and certification<br />
are covered.<br />
[[File:analystimage2.png|1000px|thumb|Career path <ref>"Possible Career Path". Available at https://www.cyberseek.org/pathway.html</ref>]]<br />
<br />
===Junior/Senior===<br />
Start with an entry-level job in IT. Hands-on experience is often the<br />
most effective way to prepare for certification exams. Start<br />
accumulating work experience with an entry-level role as a cybersecurity<br />
analyst. Many cybersecurity professionals start off in more general IT<br />
roles. The skills, practices, and technologies you’ll use as a<br />
cybersecurity professional will continue to evolve along with computer<br />
and network technology. The desire to learn, ability to problem solve,<br />
and attention to detail will serve you well in this field. Other, more<br />
technical skills and technologies to learn include:<ref name="certification">Popular Cyber Security Certificates [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications [Accessed 25 April 2022].</ref><br />
<br />
====SIEM tools (security information and event management)====<br />
Security Information and Event Management (SIEM) is a set of tools<br />
and services offering a holistic view of an organization’s information<br />
security. SIEM works by combining two technologies:<br />
<li>Security information management (SIM), which collects data from log<br />
files for analysis and reports on security threats and events, and</li><br />
<li>security event management (SEM), which conducts real-time system<br />
monitoring, notifies network admins about important issues and<br />
establishes correlations between security events. There are a number of<br />
security information and event management solutions on the market.<br />
ArcSight ESM, IBM QRadar and Splunk are among the most popular. <ref name="SIEM">Application security, SIEM [Online]. Available: https://www.imperva.com/learn/application-security/siem/. [Accessed 27 4 2022].</ref></li><br />
<br />
====Firewalls, Intrusion Detection Systems (IDS), and Intrusion Prevention Systems(IPS)====<br />
Firewalls can be two types, hardware and software firewalls. Software<br />
firewall is a firewall that is installed on a computer or server, and<br />
tasked with network security. It works with a wide variety of other<br />
technology security solutions to provide more robust and cohesive<br />
security for enterprises of all sizes. When a software firewall is<br />
installed on a server, it opens up like an umbrella of protection over<br />
all other computers connected to the network. It is able to monitor both<br />
incoming and outgoing traffic for potential risk or suspicious user<br />
behavior, and also makes setting security policies much easier, faster<br />
and more flexible. Hardware firewall is positioned between the network<br />
and devices, allowing traffic to funnel through the firewall for a close<br />
inspection and analysis. A hardware firewall, a term often<br />
interchangeable with network or next-generation firewall, protects the<br />
network gateways for an enterprise. Hardware firewall is physical<br />
hardware, installed between network elements and connected devices, and<br />
is tasked with filtering traffic for cyber threat to the network or<br />
devices. Filtering out unauthorized or suspicious users based on traffic<br />
analysis is one of the biggest benefits of hardware firewall. <ref name="sangfor">Sangfor, "What is Software Firewall? Difference between Hardware Firewall and Software Firewall, [Online]. Available: https://www.sangfor.com/blog/cybersecurity/what-is-software-firewall-difference-between-hardware-firewall-and-software-firewall [Accessed 26 4 2022].</ref><br />
<br />
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems<br />
(IPS) are both parts of the network infrastructure. IDS/IPS compare<br />
network packets to a cyberthreat database containing known signatures of<br />
cyberattacks — and flag any matching packets. IDS doesn’t alter the<br />
network packets in any way, whereas IPS prevents the packet from<br />
delivery based on the contents of the packet, much like how a firewall<br />
prevents traffic by IP address. <ref name="Varonis">Varonis, "What is Software Firewall? IDS vs. IPS: What is the Difference?, [Online]. Available: https://www.varonis.com/blog/ids-vs-ips [Accessed 26 4 2022].</ref><br />
<br />
====Digital forensics====<br />
Digital forensics is a branch of forensic science that focuses on<br />
identifying, acquiring, processing, analyzing, and reporting on data<br />
stored electronically. Electronic evidence is a component of almost all<br />
criminal activities and digital forensics support is crucial for law<br />
enforcement investigations. Electronic evidence can be collected from a<br />
wide array of sources, such as computers, smartphones, remote storage,<br />
unmanned aerial systems, shipborne equipment, and more.<ref name="interpol">Interpol, "Digital forensics". Available: https://www.interpol.int/How-we-work/Innovation/Digital-forensics. [Accessed 28 4 2022].</ref> <br />
Investigative process of digital forensics can be divided into several stages. There are four major stages: preservation, collection,<br />
examination, and analysis. All these four stages need a deep understanding of computers, technology across a broad spectrum, and cybersecurity principles and<br />
practices, a working knowledge of computers, networks, and coding, in-depth investigative abilities, critical-thinking skills and analytical talent the ability to effectively communicate and work with a<br />
wide range of people. <ref name="ecpi">"Digital forensics". Available: https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me. [Accessed 26 4 2022].</ref><br />
<br />
====Mobile device management====<br />
Mobile device management (MDM) is software that allows IT<br />
administrators to control, secure and enforce policies on smartphones,<br />
tablets and other endpoints. Mobile device management software emerged<br />
in the early 2000s as a way to control and secure the personal digital<br />
assistants and smartphones that business workers began to use. The<br />
consumer smartphone boom that started with the launch of the Apple<br />
iPhone in 2007 led to the bring your own device (BYOD) trend, which<br />
fueled further interest in MDM.<ref name="techtarget">Techtarget, "Mobile Device Management". Available: https://www.techtarget.com/searchmobilecomputing/definition/mobile-device-management [Accessed 27 4 2022].</ref><br />
<br />
====Data management====<br />
Sometimes the data management is neglected, but this part has a<br />
crucial role when learning for good cyber security practices. Majority<br />
of cyber security programs include a special courses on data management.<br />
Data management is a method of organizing and maintaining data processes<br />
that are required in almost every business operations. The benefits of<br />
data management can be found accounting, statistics, logistics planning<br />
and other disciplines including corporate computing.<ref name="GlobalUni">Global Universities, "MSc Data Management and Cyber Security". Available: https://globaluniversities.in/msc-data-management-cyber-security. [Accessed 26 Apr 2022].</ref><br />
Data governance (and management) play a fundamental role in<br />
protecting an organization’s data. Ensuring that the right people have<br />
the right access and that appropriate security controls are in place to<br />
protect each system or service, based on the criticality or sensitivity<br />
of the data sets these contain. <ref name="CyberMagazine">Cyber Security Magazine, "The Role of Data Governance in Cybersecurity". Available: https://cybersecurity-magazine.com/the-role-of-data-governance-in-cybersecurity/?utm_source=rss&amp;utm_medium=rss&amp;utm_campaign=the-role-of-data-governance-in-cybersecurity. [Accessed 26 Apr 2022].</ref><br />
<br />
====Application security development====<br />
Application security describes security measures at the application<br />
level that aim to prevent data or code within the app from being stolen<br />
or hijacked. It encompasses the security considerations that happen<br />
during application development and design, but it also involves systems<br />
and approaches to protect apps after they get deployed. Application<br />
security may include hardware, software, and procedures that identify or<br />
minimize security vulnerabilities.<ref name="vmware">VmWare, "What is application security?". Available: https://www.vmware.com/topics/glossary/content/application-security.html [Accessed 28 April 2022].</ref><br />
Application security development is important to ensure that your<br />
application is free from coding errors and bugs. And controls the risk<br />
and helps safeguard against security vulnerabilities. Application<br />
security development is the process of making applications more secure<br />
by finding and fixing security vulnerabilities. This is often done by<br />
enforcing software security best practices and using application<br />
security testing tools. <br />
<ref name="perforce">Perforce, "Application Security Development Best Practices". Available: https://www.perforce.com/blog/kw/application-security-development-best-practices. [Accessed 28 April 2022].</ref><br />
<br />
====Audit and compliance knowledge====<br />
A cyber security audit is designed to be a comprehensive review and<br />
analysis of your business’s IT infrastructure. It identifies threats and<br />
vulnerabilities, exposing weaknesses and high-risk practices.<br />
Regulations such as the EU GDPR (General Data Protection Regulation) can<br />
impose hefty penalties in the event of a breach that results in<br />
exploited data. A cyber security audit will help mitigate the<br />
consequences of a breach and demonstrate that your organization has<br />
taken the necessary steps to protect client and company data. <ref name="cyforsecure">Cyfor Secure, "What is a Cyber Security Audit and how can it help your organisation?". Available: https://cyforsecure.co.uk/services/cyber-assessment/cyber-security-audit/. [Accessed 28 April 2022].</ref><br />
<br />
Cybersecurity compliance is the organizational risk management method<br />
aligned with pre-defined security measures &amp; controls on how data<br />
confidentiality is ensured by its administrative procedures.<ref name="nordlayer">NordLayer, "Cybersecurity compliance: Everything you need to know". Available: https://nordlayer.com/blog/cybersecurity-compliance-everything-you-need-to-know/. [Accessed 28 April 2022].</ref><br />
All needed skills are developed through courses and certification.<br />
<br />
===Entry-Level Incident Response Positions===<br />
It is not always possible to advance to the position of incident<br />
responder in a straight line. Many professionals advance from entry- to<br />
mid-level positions before becoming a real incident responder or a<br />
member of a computer emergency response team (CERT).<br /><br />
These are some examples: <ref name="Infosec">Infosec, "Incident Responder Career Roadmap: From Entry Level to Executive". Available: https://resources.infosecinstitute.com/topic/incident-responder-career-roadmap-entry-level-executive/ [Accessed 28 April 2022].</ref></p><br />
<ul><br />
<li><h5 id="network-administrator">Network administrator</h5><br />
<p>This position’s experience will help potential incident responders<br />
develop networking skills. Attention to detail, as well as the ability<br />
to sift through system configurations, site layouts, and general network<br />
and communication setups, are essential in this field.</p></li><br />
<li><h5 id="system-administrator">System administrator</h5><br />
<p>Another crucial beginning point for an incident responder is to learn<br />
how to manage resources inside your organization as well as user<br />
behavior. Understanding the potential damage that users, inadequate<br />
security setups, and ineffective IT policies and procedures can cause on<br />
your network can provide prospective candidates with insight into the<br />
human component of an incident.</p></li><br />
<li><h5 id="security-administrator">Security administrator</h5><br />
<p>In such a position, basic hacking skills, penetration testing, and<br />
intrusion detection are all learned, which are crucial incident<br />
responder skills when trying to replicate a breach or attack.<br />
Understanding the paths a cybercriminal will take when attempting to<br />
damage or obtain access to a system can greatly simplify the work of<br />
reverse engineering the incident.</p></li><br />
</ul><br />
<br />
=== Mid-Level Incident Response Positions ===<br />
<ul><br />
<li><h5<br />
id="computer-security-incident-response-team-csirt-engineer">Computer<br />
security incident response team (CSIRT) engineer</h5></li><br />
<li><h5 id="cyber-incident-responder">Cyber incident responder</h5></li><br />
<li><h5 id="incident-response-engineer">Incident response<br />
engineer</h5></li><br />
</ul><br />
<p>While each of these positions is different, they generally require<br />
very similar skills and characteristics in a candidate. At this level,<br />
personal characteristics such as problem solving, time management, and<br />
even presentation skills become more crucial as one’s career evolves<br />
into a management-facing role.</p><br />
<p>Technical skills include the ability to identify and minimize threats<br />
while maintaining communication with management and the rest of your<br />
team. Data analysis and evidence gathering become increasingly crucial,<br />
and the circumstances in which your services are deployed get more<br />
serious.</p><br />
Problem-solving skills are crucial at this level of incident<br />
response, and as the stakes rise, so does the pressure in each<br />
situation. At this level, programming abilities are essential since<br />
incident responders may be needed to reverse engineer malicious code or<br />
even create patches for vulnerable network applications or services. <ref name="coursera">Coursera, "10 Popular Cybersecurity Certifications [2022 Updated]". Available: https://www.coursera.org/articles/popular-cybersecurity-certifications [Accessed 28 April 2022].</ref><br />
<br />
===Senior-Level Incident Response Positions===<br />
<ul><br />
<li><h5 id="intrusion-detection-specialist">Intrusion detection<br />
specialist:</h5></li><br />
</ul><br />
<p>A CISSP certification might help a potential candidate in preparing<br />
for the profession. The role of an intrusion detection specialist is to<br />
find and stop any unwanted communications.</p><br />
<ul><br />
<li><h5 id="incident-manager">Incident manager:</h5></li><br />
</ul><br />
Expected to plan, oversee, manage, and supervise all incident<br />
response team actions. Is in charge of reporting all current events to<br />
senior management and stakeholders, as well as acting as the technical<br />
lead on active incidents for incident responders. Prepares threat and<br />
impact assessments and reports them known to management.<ref name="coursera"></ref><br />
<br />
==Certificates== <br />
There is a vast number of different certificates and the road map to<br />
being a certified professional could be very different<ref name="Coursera">Coursera, "10 Popular Cybersecurity Certifications [2022 Updated]," [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications. [Accessed 30 Apr 2022].</ref><br />
<ref name="NICCS">NICCS, "Cybersecurity Certifications," [Online]. Available: hhttps://niccs.cisa.gov/about-niccs/cybersecurity-certifications. [Accessed 30 Apr 2022].</ref> . One possible<br />
approach is to start with basic certificates from the different branches<br />
of service and move to more specific and demanding focused<br />
certification. Also, some jobs require certain clearances, either from<br />
industry, or from the government. One small selection of different<br />
possible certificates is brought out in following paragraphs.<br />
<br />
Security+ is a CompTIA certification that is considered a basic cert<br />
among cybersecurity professionals. It covers the topics of risk<br />
management and threat assessment.<br />
Network+ is also offered by CompTIA this certification (like the name<br />
implies) focuses on networking infrastructure and operations. It is<br />
considered a foundational certification.<br />
The Certified Information Systems Security Professional (CISSP) is a<br />
more advanced certification designed for cybersecurity professionals<br />
with at least five years of work experience. The certification covers<br />
topics such as architecture, engineering, and management.</p><br />
The Certified Ethical Hacker (CEH) certification is also considered a<br />
more advanced cert because it generally requires that applicants have<br />
multiple years of work experience. The goal of an ethical hacker<br />
certification is to be able to understand how cyber attacks unfold in<br />
order to improve threat assessment and mitigation skills.<ref name="cyberguide">Cybersecurity Guide, "How to become a cybersecurity specialist", [Online]. Available: https://cybersecurityguide.org/careers/security-specialist/. [Accessed 27 April 2022].</ref><br />
This is definitely not all, when one looks for more information, following link could be searched, to get more in depth knowledge about<br />
different possibilities.<br />
<br />
Hereby, with the help of this matrix a possible taxonomy of different 436 listed certificates in branches are<br />
presented.<ref name="Pauljeremy">"Cybersecurity Roadmap," [Online]. Available: https://pauljerimy.com/2020/10/12/scr-oct-2020-update/. [Accessed 30 Apr 2022].</ref><br />
<br />
[[File:analystimage5.png|1000px|thumb|Certificate matrix <ref>"Certification roadmap". Available at https://pauljerimy.com/security-certification-roadmap</ref>]]<br />
<br />
=== Communication and Network Security===<br />
Communication and network security covers the ability to secure<br />
communication channels and networks. Topics include secure and converges<br />
protocols, wireless networks, cellular networks, hardware operations<br />
(warranty and redundant power), and third-party connectivity. IP<br />
networking are also included in this domain.<br />
===Identity and Access Management===<br />
The identity and access management domain covers the attacks that<br />
target the human gateway to gain access to data. Other topics include<br />
ways to identify users with rights to access the information and<br />
servers. Identity and access management covers the topics of<br />
applications, Single sign-on authentication, privilege escalation,<br />
Kerberos, rule-based or risk-based access control, proofing and<br />
establishment of identity.<br />
===Security Architecture and Engineering===<br />
The security architecture and engineering domain covers important<br />
topics concerning security engineering plans, designs and principles,<br />
Topics include assessing and mitigating information system<br />
vulnerabilities, fundamental concepts of security models and security<br />
architectures in critical areas like access control. Cloud systems,<br />
cryptography, system infiltrations (ransomware, fault-injection and<br />
more) and virtualized systems are also covered in this domain.<br />
===Asset Security===<br />
The Asset Security domain deals with the issues related to the<br />
collection, storage, maintenance, retention and destruction of data. It<br />
also covers knowledge of different roles regarding data handling (owner,<br />
controller and custodian) as well as data protection methods and data<br />
states. Other topics include resource provision, asset classification<br />
and data lifecycle management.<br />
===Security and Risk Management===<br />
The security and risk management domain covers general on skills<br />
related to the implementation of user awareness programs as well as<br />
security procedures. Emphasis is also placed on risk management<br />
concerning the acquisition of new services, hardware and software<br />
(supply chain). Other skills include social engineering defense<br />
mechanisms.<br />
===Security Assessment and Testing===<br />
The security assessment and testing domain deals with all the<br />
techniques and tools used to find system vulnerabilities, weaknesses and<br />
potential areas of concern not addressed by security procedures and<br />
policies. Attack simulations, vulnerability assessment, compliance<br />
checks, and ethical disclosure also fall under this domain.<br />
===Software Security===<br />
The software development security domain deals with implementing<br />
software-based security protocols within environment for which the IT<br />
professional is responsible. Risk analysis, vulnerability identification<br />
and auditing of source codes are all covered in this subset. Additional<br />
topics include software-designed security, maturity models, development<br />
methodologies, open-source and third-party development security.<br />
===Security operations===<br />
The security operations domain covers topics ranging from<br />
investigations and digital forensic to detection and intrusion<br />
prevention tools, sandboxing and firewalls. Topics include user and<br />
entity behavior analytics, threat intelligence (threat hunting and<br />
threat feeds) log management, artifacts (mobile, computer and network),<br />
machine learning and AI-based tools, penetration testing, and<br />
exploitation development. These for sub-domains are lister here.</p><br />
<li>Forensics</li><br />
<li>Incident Handling</li><br />
<li>Penetration Testing</li><br />
<li>Exploitation</li><br />
<br />
==Education==<br />
[[File:Analystimage7.png|400px|thumb|Comparison degree vs Certificate <ref>"Comparison Table". Available at https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</ref>]]<br />
The entry level monitoring specialist is hired by Estonian<br />
Information System Authority even if there is no formal IT education,<br />
but readiness to learn and moderate knowledge of different operation<br />
systems is enough to start the career. <ref name="cv">cv.ee, "SEIRESPETSIALIST - tule Eesti küberruumi valvuriks!". Available: https://www.cv.ee/en/vacancy/792782/riigi-infosusteemi-amet/seirespetsialist-tule-eesti-kuberruumi-valvuriks [Accessed 28 April 2022].</ref><br />
Nevertheless, like most other high qualification careers jobs falling<br />
under the cybersecurity specialist category require some form of formal<br />
education. However, since cybersecurity specialist jobs can fall across<br />
a wide spectrum of job descriptions and responsibilities, it is possible<br />
to obtain a specialist job after completing many levels of different<br />
computer related education.<br />
<br />
If one is looking for a cybersecurity related education, for example<br />
in EU, 137 courses/programs could be found that relate to keyword IT or<br />
cybersecurity. <ref name="enisa">ENISA (European Union Agency for Cybersecurity), "Cybersecurity Education-Cybersecurity Higher Education Database". Available: https://www.enisa.europa.eu/topics/cybersecurity-education/education-map/education-courses [Accessed 26 April 2022].</ref><br />
<br />
Also, there is a great amount of discussion, if cyber security<br />
professional should have a degree or would be certification just enough.<br />
One interesting table is produces by Franklin University that compares<br />
benefits and/or drawbacks of each type of credential.<ref name="franklin">Franklin University, "Is Getting a Master's Degree in Cyber Security Worth It?". Available: https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it [Accessed 28 April 2022].</ref><br />
<br />
Certifications are generally good for people with little practical<br />
experience because they are known quantities in the industry and can<br />
help you get your foot in the door. They set a minimum knowledge bar.<br />
But some certifications are viewed more favorably than others.<br />
Certifications with renewal requirements are viewed better by hiring<br />
managers, but they also more costly in the long run because of the need<br />
for continuing education. Certifications are also good for showing<br />
in-depth expertise in a specialization within cybersecurity. Depending<br />
on your career goals, it may be advantageous to have a master’s<br />
degree—which shows your breadth of knowledge, critical thinking and<br />
leadership skills—and a certificate—which shows specific skill<br />
competency.<ref name="franklin"></ref><br />
As IT (Cyber) Security is still a relatively young discipline,<br />
universities and colleges are still figuring out which is the best<br />
approach for their degrees. Study programmes and curricula in Cyber<br />
Security are different. In general, here are the duration of Cyber<br />
Security degrees:<br />
<ref name="studyportal">Studyportals, "Why You Should Study a Cyber Security Degree in 2022". Available: https://www.mastersportal.com/articles/2722/why-you-should-study-a-cyber-security-degree-in-2022.html [Accessed 28 April 2022].</ref><br />
<ul><br />
<li><p>Bachelor’s degrees in Cyber Security take 3 or 4 years in most<br />
countries.</p></li><br />
<li><p>Master’s courses in Cyber Security take between 1-2 years to<br />
complete.</p></li><br />
<li><p>PhD programmes in Cyber Security last 3-5 years. Some only take 1<br />
or 2 years, but they are less common.</p><br />
</li><br />
</ul><br />
<br />
Generalization could me made that on bachelor level the general<br />
knowledge about the cyber issues are obtained. On master level the<br />
specialization courses are taken and the person can choose more specific<br />
topics to study. It is on master level where strengths of the cyber<br />
specialist can be developed further and up-do date knowledge obtained in<br />
specifics. PhD is serious science and involves teaching, lot of<br />
scientific work and writing for publications.<br />
<br />
==Salary==<br />
<p>Even if the salary can be very different, compared to the skills and<br />
experience, an generalization can be made. Cyber Security professionals<br />
in CSIRT, and in other entities earn quite well, from the start. First,<br />
some comparison from the United States. The average CSIRT analyst salary<br />
in the USA is $97,500 per year or $50 per hour. Entry level positions<br />
start at $48,875 per year while most experienced workers make up to<br />
$135,373 per year.<ref name="talent">talent.com, "Csirt Analyst average salary in USA 2022". Available: https://www.talent.com/salary?job=csirt+analyst [Accessed 28 April 2022].</ref><br />
<br />
There are multiple positions you can occupy in this field. They have<br />
in common great salaries and high demand for technical skills, attention<br />
to details, problem-solving mentality, and the ability to analyze risks.<br />
Here are the average annual salaries in the United States, according to<br />
Payscale: <ref name="studyportal"></ref><br />
<ul><br />
<li><p>Cryptographer – 100,000 USD</p></li><br />
<li><p>Information Security Officer – 91,000 USD</p></li><br />
<li><p>Security Assessor – 90,000 USD</p></li><br />
<li><p>Security Engineer – 88,000 USD</p></li><br />
<li><p>Penetration Tester – 81,000 USD</p></li><br />
<li><p>Forensics Expert – 71,000 USD</p></li><br />
<li><p>Security Administrator – 65,000 USD</p><br />
</ul><br />
When looking into salaries in Estonia, one can find that there is a<br />
discussion that private sector is taking a toll from the public sector,<br />
and that the salaries in important agencies, as Information System<br />
Authority loose their employees to the better paid positions in private<br />
sector.<ref name="digigeenius">DiGi Geenius, "Kui-palju-riigi-jaoks-olulised-it-tootajad-tegelikult-palka-saavad". Available: https://digi.geenius.ee/rubriik/uudis/kui-palju-riigi-jaoks-olulised-it-tootajad-tegelikult-palka-saavad/ [Accessed 28 April 2022].</ref><br />
<ref name="tehnika">Postimees, "Riigi-it-tootajate-palgamaarad-kasvasid". Available: https://tehnika.postimees.ee/6887428/riigi-it-tootajate-palgamaarad-kasvasid [Accessed 28 April 2022].</ref><br />
But there is also a different view that average private sector worker<br />
could be hired as a top specialist in public sector and then the payment<br />
is higher. Nevertheless, it seems that the average payment in cyber<br />
security sector is any way higher that in other parts of the<br />
e-services. <ref name="digigeenius2">DiGi Geenius, "5000-eurostest-palkadest-it-tootajad-saavadki-palju-palka". Available: https://digi.geenius.ee/rubriik/uudis/5000-eurostest-palkadest-it-tootajad-saavadki-palju-palka [Accessed 28 April 2022].</ref><br />
<br />
==SOC==<br />
<p>A SOC is a facility where an organization’s network, applications,<br />
and endpoints are monitored and defended. The term was adapted from<br />
network operations centers (NOCs), where large telecommunication or<br />
corporate networks are monitored. When network security became more of a<br />
concern, security teams were formed within the NOCs, and eventually spun<br />
off into larger organizations of their own as the responsibilities of<br />
security teams grew increasingly complex and specialized. The security<br />
staff working in a security operations center are often called the SOC<br />
team.<ref name="exabeam">Exabeam, "CSIRT". Available: https://www.exabeam.com/incident-response/csirt/ [Accessed 28 APr 2022].</ref><br />
<br />
<p>Functions of the SOC team include, but are not limited to:<ref name="trellix">Trellix, "What Is a Security Operations Center (SOC)?". Available: https://www.trellix.com/en-us/security-awareness/operations/what-is-soc.html [Accessed 30 APr 2022].</ref></p><br />
<ol type="1"><br />
<li>Taking inventory of resources, to get a better understanding of the<br />
structure they are protecting.</li><br />
<li>Maintanence of the system, by constantly making updates and adding<br />
safeguards.</li><br />
<li>Monitoring the network for abnormalities with special tools.</li><br />
<li>Threat analysis of new attacks and vulnerabilities.</li><br />
<li>Responding to attacks, by acting as “first responders”. The SOC team<br />
will shut down and/or isolate endpoints, deleting files and lowering the<br />
impact as fast as possible.</li><br />
<li>Recovery of system stability and lost data. This may be done using<br />
backups, restarting endpoints or reconfiguring systems.</li><br />
<li>Logging all actions on the system, to be later used for analysis or<br />
forensics after an attack.</li><br />
<li>Investigating the root cause of an attack.</li><br />
<li>Auditing their own actions, to be in line with regulations of the<br />
organization, industry or governing body.</li><br />
</ol><br />
<br />
==CSIRT==<br />
<p>A CSIRT is a group that responds to security incidents when they<br />
occur. Key responsibilities of a CSIRT include:<br />
<ref name="exabeam"></ref><br />
===Creating and maintaining an incident response plan (IRP)===<br />
An incident response plan (IRP) is a set of written instructions for<br />
detecting, responding to and limiting the effects of an information<br />
security event. Incident response plans provide instructions for<br />
responding to many potential scenarios, including data breaches, denial<br />
of service/distributed denial of service attacks, firewall breaches,<br />
virus or malware outbreaks or insider threats. Without an incident<br />
response plan in place, organizations may either not detect the attack<br />
in the first place, or not follow proper protocol to contain the threat<br />
and recover from it when a breach is detected.<br />
<br />
https://www.stratacore.com/incidentresponseplan<br />
===Investigating and analyzing incidents===<br />
CSIRTs are also involved in improvement activities. After major<br />
computer security incidents occur, or when incidents are not handled in<br />
a timely or effective manner, a CSIRT will generally perform a<br />
postmortem of the incident and its response. This postmortem will<br />
identify the strengths and weakness of the response effort. Such reviews<br />
can identify weaknesses and holes in systems, infrastructure defenses,<br />
or policies that allowed the incident to take place. It can also<br />
identify problems with communication channels, interfaces, and<br />
procedures that inhibited the efficient resolution of the reported<br />
problem.<br />
<p>https://www.cisa.gov/uscert/bsi/articles/best-practices/incident-management/defining-computer-security-incident-response-teams</p><br />
<br />
===Managing internal communications and updates during or immediately after incidents occur===<br />
===Communicating with employees, shareholders, customers, and the press about incidents as needed===<br />
<p>There are various services within the CSIRT Services Framework that<br />
address communications, as they relate to security operations and<br />
incident response services. Some of these include Information Security<br />
Incident Coordination, Crisis Management Support, Vulnerability<br />
Disclosure, Situational Awareness Communication, and Awareness Building,<br />
to name a few. Sharing information and communicating with the general<br />
public and/or your constituency is appropriate in many different<br />
scenarios. These can range from proactive communications to reactive<br />
communications. Each scenario may be unique, and careful consideration<br />
should be given to when to release information to the public and what<br />
information should be released.</p><br />
<br />
<p>https://resources.sei.cmu.edu/asset_files/Handbook/2021_002_001_651819.pdf</p><br />
<br />
===Remediating incidents===<br />
Threat remediation is a strong and capable tool for fighting the<br />
cyber security compromises. As the word ‘remedy’ suggests, remediation<br />
process involves the treatment of a security breach. With the<br />
remediation practices, your cyber security team is able to eliminate<br />
suspicious activities and malicious attacks in the form of malware,<br />
ransomware, phishing and such. Even if you ‘kill’ the suspicious<br />
activity, the attackers can remain in your systems. If you want to<br />
contaminate and end the problem for good, your remediation processes<br />
must involve the detection of the cause. <ref name="logsign">Logsign, "What-is-remediation-in-cyber-security". Available: https://www.logsign.com/blog/what-is-remediation-in-cyber-security/. [Accessed 28 Apr 2022].</ref><br />
<br />
===Recommending technology, policy, governance, and training changes after security incidents===<br />
After all these actions, the SCIRT must contribute to the development<br />
of better policies, practices and has to recommend improvements. They<br />
are not working in the vacuum and their work has to create new and<br />
better standards for cyber security. <ref name="exabeam">Exabeam, "CSIRT". Available: https://www.exabeam.com/incident-response/csirt/ [Accessed 28 APr 2022].</ref><br />
<br />
==CERT==<br />
<p>The term “computer emergency response team” was coined in 1988. In<br />
response to the Morris worm attack that impacted thousands of servers on<br />
the Internet, DARPA funded the formation of the Computer Emergency<br />
Response Team Coordination Center (CERT-CC) at Carnegie Mellon<br />
University. The goal of CERT-CC was to help protect the internet by<br />
collecting and disseminating information on critical security<br />
vulnerabilities. Several other countries formed similar centers using<br />
the same acronym (despite threats of legal action by Carnegie Mellon for<br />
trademark infringement). Now the term CERT refers to any emergency<br />
response team that deals with cyber threats. Many people use CERT-CC<br />
interchangeably with CSIRT, though the charter of a CERT is information<br />
sharing in order to help other response teams respond to threats against<br />
their own infrastructure.</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<p>In general, the designation of CERT is helpful in applying real-world<br />
solutions to various cybersecurity problems. They may be government<br />
contractors or employees of a major corporation. For example, the U.S.<br />
Computer Emergency Readiness Team (US-CERT) operates under the U.S.<br />
Department of Homeland Security.</p><br />
<p>https://www.techopedia.com/definition/31003/computer-emergency-response-team-cert</p><br />
<p>In Estonia CERT is designated as CERT-EE. It was established in 2006,<br />
as an organization responsible for the management of security incidents<br />
in .ee computer networks. It is also a national contact point for<br />
international co-operation in the field of IT security.</p><br />
<p>https://www.ria.ee/en/cyber-security/cert-ee.html</p><br />
==Difference between SOC/CSIRT/CERT==<br />
How CSIRTs differ from CERTs and SOCs. There are overlapping<br />
responsibilities between a community emergency response team (CERT),<br />
computer security incident response team (CSIRT), and security<br />
operations center (SOC). To add to this confusion, frequently, the terms<br />
CERT and CSIRT are used interchangeably, despite the important<br />
differences.<br />
[[File:analystimage3.png|1000px|thumb|SOC/CSIRT/CERT <ref name="exabeam></ref>]]<br />
<figure><br />
<img src="images/image3.png" alt="Overlapping in images/image3.png" /><br />
<figcaption aria-hidden="true">Overlapping in<br />
images/image3.png</figcaption><br />
</figure><br />
<br />
==Understand the primary roles and characteristics of a CERT, CSIRT, and SOC.==<br />
<p>So, using strict definitions, a CERT collects and disseminates<br />
security information, typically for the benefit of a country or an<br />
industry. A CSIRT is a cross-functional team that responds to incidents<br />
on behalf of a country or an organization. A SOC is where a country or<br />
organization monitors and defends its network, servers, applications,<br />
and endpoints.</p><br />
<figure><br />
<img src="images/image4.png" alt="table of explanation images/image4" /><br />
<figcaption aria-hidden="true">table of explanation<br />
images/image4</figcaption><br />
</figure><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
==Future==<br />
<p>And the Cyber security problem is only getting bigger. According to a<br />
report published by Accenture, the number of cyber security breaches<br />
increased by 11 percent from 2017 to 2018. The cost of such breaches is<br />
astronomical–about $600 billion worldwide, according to the Economic<br />
Impact of Cybercrime report.</p><br />
<p>https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me</p><br />
<p>Job projections for cybersecurity are staggering. The Bureau of Labor<br />
Statistics in US predicts that careers in the cybersecurity field will<br />
grow by 32% by 2028. That makes cybersecurity one of the top 10<br />
fastest-growing jobs in the country. In the United States alone, jobs<br />
for Information Security Analysts are expected to grow by 15% by<br />
2024.</p><br />
<p>https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</p><br />
<p>Most likely this trend is also similar in other countries.</p><br />
<p>When checking Estonian job portals, there is a constant need for<br />
people for cyber security related positions. Also, linkedin search gives<br />
approximately 30 vacancies immediately. There are banks, logistics<br />
companies, e-shops, and software producers.</p><br />
<p>https://ee.linkedin.com/jobs/cyber-security-jobs?countryRedirected=1&amp;position=1&amp;pageNum=0</p><br />
<p>Trends that affect companies create need for constant cyber security<br />
services. Increasing number of home/remote offices require secure<br />
corporate networks and security of remote devices. One example is from<br />
this year, when sloppy remote desktop set-up paralyzed systems of 17<br />
companies.</p><br />
<p>https://www.aripaev.ee/uudised/2022/04/20/ria-lohakas-kaugtoolaua-seadistus-halvas-martsis-vahemalt-17-juhul-ettevotete-it-susteemid</p><br />
<p>Also, no service can exists without robust infrastructure - servers,<br />
databases, applications. As all previously mentioned devices and<br />
services are at constant scanning and surveillance. So, the breach<br />
detection and immediate action demands 24/7 services. Even if lot of<br />
things could be automated, there is a need for human specialists (at<br />
least, at the moment). Third growing field is also a forensic<br />
investigation, as every attack must be investigated in order to be ready<br />
to repel next attacks. So data recovery and evidence collection is<br />
another important field of work that need skilled and professional<br />
workers.</p><br />
<p>Even, if the specifics of the entity, be it CSIRT, CERT or SOC, are<br />
different, the fundamentals of the work are the same. Professional<br />
knowledge of the networks, operational systems, hardware, scripting, and<br />
several other wider IT related knowledge is needed. As there is no<br />
single way to reach to it, every single person can find one’s strongest<br />
sides and develop them with knowledge of weaker side, in order to know,<br />
when to as for help.</p><br />
<br />
</body><br />
</html></div>Mavaldhttps://wiki.itcollege.ee/index.php?title=Hiring_a_Cyber_Security_Incident_Analyst&diff=142241Hiring a Cyber Security Incident Analyst2022-05-01T15:53:00Z<p>Mavald: /* Certificates */</p>
<hr />
<div>==A Cyber Security Incident Analyst==<br />
<br />
[[File:image1.png|600px|thumb|Job advertisement <ref>"Job Advertisement". Available at https://www.projectpeople.com/jobs/</ref>]]<br />
===Cyber security incident analyst in SOC/CSIRT/CERT===<br />
This article delves into the job title of Cyber Security Incident<br />
Analyst and provides an overview of the acronyms SOC/CSIRT/CERT. A brief<br />
history of the job is discussed here, as well as a possible career path,<br />
education, experience, and other characteristics required for work in<br />
computer security-related organizations. The article also provides a<br />
brief history of SOC/CSIRT/CERT, as well as a comparison of their<br />
differences and similarities.<br />
===Cyber Security Incident Analyst Skill Set===<br />
What skill set is expected from the Cyber Security Incident Analyst? Below written lines are taken from the same job advertisement depicted<br />
on the left side of this article:<br />
As a Security Incident Analyst your responsibilities will include:<br />
<ul><br />
<li>Continuous monitoring of security tooling</li><br />
<li>Performing regular and ad-hoc vulnerability assessments</li><br />
<li>Carrying out ‘spot checks’</li><br />
<li>Reporting vulnerabilities to the PVG via the alerts system</li><br />
<li>Maintaining and documenting logging systems</li><br />
<li>Developing centralized logging, reporting and intelligence<br />
platforms</li><br />
<li>‘Light touch’ penetration testing with open source tooling<br />
(Metasploit)</li><br />
</ul><br />
Knowledge &amp; Experience required:<br />
<ul><br />
<li>SOC, CSIRT or CERT operational environment experience</li><br />
<li>Windows / Linux experience</li><br />
<li>TCP /IP networking protocol knowledge</li><br />
<li>Experience reviewing and analyzing Security Events from various<br />
monitoring and logging sources</li><br />
<li>Experience in website and web application security assessment or<br />
penetration testing</li><br />
<li>Experience of using Metasploit</li><br />
<li>Scripting knowledge using BASH, Python, Perl, Ruby</li><br />
<li>Skills in Host and Network Forensics</li><br />
</ul><br />
As one can see the description of the duties is wide and also the<br />
knowledge and experience that is required is noteworthy. So, where to<br />
start to find out the way to get this kind of knowledge and<br />
expertize.<br />
===Possible career path===<br />
Next part of the paper is aiming to depict a possible ways, how to<br />
develop oneself, and move along the career pathway in cybersecurity<br />
field. Topics of development, education, experience and certification<br />
are covered.<br />
[[File:analystimage2.png|1000px|thumb|Career path <ref>"Possible Career Path". Available at https://www.cyberseek.org/pathway.html</ref>]]<br />
<br />
===Junior/Senior===<br />
Start with an entry-level job in IT. Hands-on experience is often the<br />
most effective way to prepare for certification exams. Start<br />
accumulating work experience with an entry-level role as a cybersecurity<br />
analyst. Many cybersecurity professionals start off in more general IT<br />
roles. The skills, practices, and technologies you’ll use as a<br />
cybersecurity professional will continue to evolve along with computer<br />
and network technology. The desire to learn, ability to problem solve,<br />
and attention to detail will serve you well in this field. Other, more<br />
technical skills and technologies to learn include:<ref name="certification">Popular Cyber Security Certificates [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications [Accessed 25 April 2022].</ref><br />
<br />
====SIEM tools (security information and event management)====<br />
Security Information and Event Management (SIEM) is a set of tools<br />
and services offering a holistic view of an organization’s information<br />
security. SIEM works by combining two technologies:<br />
<li>Security information management (SIM), which collects data from log<br />
files for analysis and reports on security threats and events, and</li><br />
<li>security event management (SEM), which conducts real-time system<br />
monitoring, notifies network admins about important issues and<br />
establishes correlations between security events. There are a number of<br />
security information and event management solutions on the market.<br />
ArcSight ESM, IBM QRadar and Splunk are among the most popular. <ref name="SIEM">Application security, SIEM [Online]. Available: https://www.imperva.com/learn/application-security/siem/. [Accessed 27 4 2022].</ref></li><br />
<br />
====Firewalls, Intrusion Detection Systems (IDS), and Intrusion Prevention Systems(IPS)====<br />
Firewalls can be two types, hardware and software firewalls. Software<br />
firewall is a firewall that is installed on a computer or server, and<br />
tasked with network security. It works with a wide variety of other<br />
technology security solutions to provide more robust and cohesive<br />
security for enterprises of all sizes. When a software firewall is<br />
installed on a server, it opens up like an umbrella of protection over<br />
all other computers connected to the network. It is able to monitor both<br />
incoming and outgoing traffic for potential risk or suspicious user<br />
behavior, and also makes setting security policies much easier, faster<br />
and more flexible. Hardware firewall is positioned between the network<br />
and devices, allowing traffic to funnel through the firewall for a close<br />
inspection and analysis. A hardware firewall, a term often<br />
interchangeable with network or next-generation firewall, protects the<br />
network gateways for an enterprise. Hardware firewall is physical<br />
hardware, installed between network elements and connected devices, and<br />
is tasked with filtering traffic for cyber threat to the network or<br />
devices. Filtering out unauthorized or suspicious users based on traffic<br />
analysis is one of the biggest benefits of hardware firewall. <ref name="sangfor">Sangfor, "What is Software Firewall? Difference between Hardware Firewall and Software Firewall, [Online]. Available: https://www.sangfor.com/blog/cybersecurity/what-is-software-firewall-difference-between-hardware-firewall-and-software-firewall [Accessed 26 4 2022].</ref><br />
<br />
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems<br />
(IPS) are both parts of the network infrastructure. IDS/IPS compare<br />
network packets to a cyberthreat database containing known signatures of<br />
cyberattacks — and flag any matching packets. IDS doesn’t alter the<br />
network packets in any way, whereas IPS prevents the packet from<br />
delivery based on the contents of the packet, much like how a firewall<br />
prevents traffic by IP address. <ref name="Varonis">Varonis, "What is Software Firewall? IDS vs. IPS: What is the Difference?, [Online]. Available: https://www.varonis.com/blog/ids-vs-ips [Accessed 26 4 2022].</ref><br />
<br />
====Digital forensics====<br />
Digital forensics is a branch of forensic science that focuses on<br />
identifying, acquiring, processing, analyzing, and reporting on data<br />
stored electronically. Electronic evidence is a component of almost all<br />
criminal activities and digital forensics support is crucial for law<br />
enforcement investigations. Electronic evidence can be collected from a<br />
wide array of sources, such as computers, smartphones, remote storage,<br />
unmanned aerial systems, shipborne equipment, and more.<ref name="interpol">Interpol, "Digital forensics". Available: https://www.interpol.int/How-we-work/Innovation/Digital-forensics. [Accessed 28 4 2022].</ref> <br />
Investigative process of digital forensics can be divided into several stages. There are four major stages: preservation, collection,<br />
examination, and analysis. All these four stages need a deep understanding of computers, technology across a broad spectrum, and cybersecurity principles and<br />
practices, a working knowledge of computers, networks, and coding, in-depth investigative abilities, critical-thinking skills and analytical talent the ability to effectively communicate and work with a<br />
wide range of people. <ref name="ecpi">"Digital forensics". Available: https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me. [Accessed 26 4 2022].</ref><br />
<br />
====Mobile device management====<br />
Mobile device management (MDM) is software that allows IT<br />
administrators to control, secure and enforce policies on smartphones,<br />
tablets and other endpoints. Mobile device management software emerged<br />
in the early 2000s as a way to control and secure the personal digital<br />
assistants and smartphones that business workers began to use. The<br />
consumer smartphone boom that started with the launch of the Apple<br />
iPhone in 2007 led to the bring your own device (BYOD) trend, which<br />
fueled further interest in MDM.<ref name="techtarget">Techtarget, "Mobile Device Management". Available: https://www.techtarget.com/searchmobilecomputing/definition/mobile-device-management [Accessed 27 4 2022].</ref><br />
<br />
====Data management====<br />
Sometimes the data management is neglected, but this part has a<br />
crucial role when learning for good cyber security practices. Majority<br />
of cyber security programs include a special courses on data management.<br />
Data management is a method of organizing and maintaining data processes<br />
that are required in almost every business operations. The benefits of<br />
data management can be found accounting, statistics, logistics planning<br />
and other disciplines including corporate computing.<ref name="GlobalUni">Global Universities, "MSc Data Management and Cyber Security". Available: https://globaluniversities.in/msc-data-management-cyber-security. [Accessed 26 Apr 2022].</ref><br />
Data governance (and management) play a fundamental role in<br />
protecting an organization’s data. Ensuring that the right people have<br />
the right access and that appropriate security controls are in place to<br />
protect each system or service, based on the criticality or sensitivity<br />
of the data sets these contain. <ref name="CyberMagazine">Cyber Security Magazine, "The Role of Data Governance in Cybersecurity". Available: https://cybersecurity-magazine.com/the-role-of-data-governance-in-cybersecurity/?utm_source=rss&amp;utm_medium=rss&amp;utm_campaign=the-role-of-data-governance-in-cybersecurity. [Accessed 26 Apr 2022].</ref><br />
<br />
====Application security development====<br />
Application security describes security measures at the application<br />
level that aim to prevent data or code within the app from being stolen<br />
or hijacked. It encompasses the security considerations that happen<br />
during application development and design, but it also involves systems<br />
and approaches to protect apps after they get deployed. Application<br />
security may include hardware, software, and procedures that identify or<br />
minimize security vulnerabilities.<ref name="vmware">VmWare, "What is application security?". Available: https://www.vmware.com/topics/glossary/content/application-security.html [Accessed 28 April 2022].</ref><br />
Application security development is important to ensure that your<br />
application is free from coding errors and bugs. And controls the risk<br />
and helps safeguard against security vulnerabilities. Application<br />
security development is the process of making applications more secure<br />
by finding and fixing security vulnerabilities. This is often done by<br />
enforcing software security best practices and using application<br />
security testing tools. <br />
<ref name="perforce">Perforce, "Application Security Development Best Practices". Available: https://www.perforce.com/blog/kw/application-security-development-best-practices. [Accessed 28 April 2022].</ref><br />
<br />
====Audit and compliance knowledge====<br />
A cyber security audit is designed to be a comprehensive review and<br />
analysis of your business’s IT infrastructure. It identifies threats and<br />
vulnerabilities, exposing weaknesses and high-risk practices.<br />
Regulations such as the EU GDPR (General Data Protection Regulation) can<br />
impose hefty penalties in the event of a breach that results in<br />
exploited data. A cyber security audit will help mitigate the<br />
consequences of a breach and demonstrate that your organization has<br />
taken the necessary steps to protect client and company data. <ref name="cyforsecure">Cyfor Secure, "What is a Cyber Security Audit and how can it help your organisation?". Available: https://cyforsecure.co.uk/services/cyber-assessment/cyber-security-audit/. [Accessed 28 April 2022].</ref><br />
<br />
Cybersecurity compliance is the organizational risk management method<br />
aligned with pre-defined security measures &amp; controls on how data<br />
confidentiality is ensured by its administrative procedures.<ref name="nordlayer">NordLayer, "Cybersecurity compliance: Everything you need to know". Available: https://nordlayer.com/blog/cybersecurity-compliance-everything-you-need-to-know/. [Accessed 28 April 2022].</ref><br />
All needed skills are developed through courses and certification.<br />
<br />
===Entry-Level Incident Response Positions===<br />
It is not always possible to advance to the position of incident<br />
responder in a straight line. Many professionals advance from entry- to<br />
mid-level positions before becoming a real incident responder or a<br />
member of a computer emergency response team (CERT).<br /><br />
These are some examples: <ref name="Infosec">Infosec, "Incident Responder Career Roadmap: From Entry Level to Executive". Available: https://resources.infosecinstitute.com/topic/incident-responder-career-roadmap-entry-level-executive/ [Accessed 28 April 2022].</ref></p><br />
<ul><br />
<li><h5 id="network-administrator">Network administrator</h5><br />
<p>This position’s experience will help potential incident responders<br />
develop networking skills. Attention to detail, as well as the ability<br />
to sift through system configurations, site layouts, and general network<br />
and communication setups, are essential in this field.</p></li><br />
<li><h5 id="system-administrator">System administrator</h5><br />
<p>Another crucial beginning point for an incident responder is to learn<br />
how to manage resources inside your organization as well as user<br />
behavior. Understanding the potential damage that users, inadequate<br />
security setups, and ineffective IT policies and procedures can cause on<br />
your network can provide prospective candidates with insight into the<br />
human component of an incident.</p></li><br />
<li><h5 id="security-administrator">Security administrator</h5><br />
<p>In such a position, basic hacking skills, penetration testing, and<br />
intrusion detection are all learned, which are crucial incident<br />
responder skills when trying to replicate a breach or attack.<br />
Understanding the paths a cybercriminal will take when attempting to<br />
damage or obtain access to a system can greatly simplify the work of<br />
reverse engineering the incident.</p></li><br />
</ul><br />
<br />
=== Mid-Level Incident Response Positions ===<br />
<ul><br />
<li><h5<br />
id="computer-security-incident-response-team-csirt-engineer">Computer<br />
security incident response team (CSIRT) engineer</h5></li><br />
<li><h5 id="cyber-incident-responder">Cyber incident responder</h5></li><br />
<li><h5 id="incident-response-engineer">Incident response<br />
engineer</h5></li><br />
</ul><br />
<p>While each of these positions is different, they generally require<br />
very similar skills and characteristics in a candidate. At this level,<br />
personal characteristics such as problem solving, time management, and<br />
even presentation skills become more crucial as one’s career evolves<br />
into a management-facing role.</p><br />
<p>Technical skills include the ability to identify and minimize threats<br />
while maintaining communication with management and the rest of your<br />
team. Data analysis and evidence gathering become increasingly crucial,<br />
and the circumstances in which your services are deployed get more<br />
serious.</p><br />
Problem-solving skills are crucial at this level of incident<br />
response, and as the stakes rise, so does the pressure in each<br />
situation. At this level, programming abilities are essential since<br />
incident responders may be needed to reverse engineer malicious code or<br />
even create patches for vulnerable network applications or services. <ref name="coursera">Coursera, "10 Popular Cybersecurity Certifications [2022 Updated]". Available: https://www.coursera.org/articles/popular-cybersecurity-certifications [Accessed 28 April 2022].</ref><br />
<br />
===Senior-Level Incident Response Positions===<br />
<ul><br />
<li><h5 id="intrusion-detection-specialist">Intrusion detection<br />
specialist:</h5></li><br />
</ul><br />
<p>A CISSP certification might help a potential candidate in preparing<br />
for the profession. The role of an intrusion detection specialist is to<br />
find and stop any unwanted communications.</p><br />
<ul><br />
<li><h5 id="incident-manager">Incident manager:</h5></li><br />
</ul><br />
Expected to plan, oversee, manage, and supervise all incident<br />
response team actions. Is in charge of reporting all current events to<br />
senior management and stakeholders, as well as acting as the technical<br />
lead on active incidents for incident responders. Prepares threat and<br />
impact assessments and reports them known to management.<ref name="coursera"></ref><br />
<br />
==Certificates== <br />
There is a vast number of different certificates and the road map to<br />
being a certified professional could be very different<ref name="Coursera">Coursera, "10 Popular Cybersecurity Certifications [2022 Updated]," [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications. [Accessed 30 Apr 2022].</ref><br />
<ref name="NICCS">NICCS, "Cybersecurity Certifications," [Online]. Available: hhttps://niccs.cisa.gov/about-niccs/cybersecurity-certifications. [Accessed 30 Apr 2022].</ref> . One possible<br />
approach is to start with basic certificates from the different branches<br />
of service and move to more specific and demanding focused<br />
certification. Also, some jobs require certain clearances, either from<br />
industry, or from the government. One small selection of different<br />
possible certificates is brought out in following paragraphs.<br />
<br />
Security+ is a CompTIA certification that is considered a basic cert<br />
among cybersecurity professionals. It covers the topics of risk<br />
management and threat assessment.<br />
Network+ is also offered by CompTIA this certification (like the name<br />
implies) focuses on networking infrastructure and operations. It is<br />
considered a foundational certification.<br />
The Certified Information Systems Security Professional (CISSP) is a<br />
more advanced certification designed for cybersecurity professionals<br />
with at least five years of work experience. The certification covers<br />
topics such as architecture, engineering, and management.</p><br />
The Certified Ethical Hacker (CEH) certification is also considered a<br />
more advanced cert because it generally requires that applicants have<br />
multiple years of work experience. The goal of an ethical hacker<br />
certification is to be able to understand how cyber attacks unfold in<br />
order to improve threat assessment and mitigation skills.<ref name="cyberguide">Cybersecurity Guide, "How to become a cybersecurity specialist", [Online]. Available: https://cybersecurityguide.org/careers/security-specialist/. [Accessed 27 April 2022].</ref><br />
This is definitely not all, when one looks for more information, following link could be searched, to get more in depth knowledge about<br />
different possibilities.<br />
<br />
Hereby, with the help of this matrix a possible taxonomy of different 436 listed certificates in branches are<br />
presented.<ref name="Pauljeremy">"Cybersecurity Roadmap," [Online]. Available: https://pauljerimy.com/2020/10/12/scr-oct-2020-update/. [Accessed 30 Apr 2022].</ref><br />
<br />
[[File:analystimage5.png|1000px|thumb|Certificate matrix <ref>"Certification roadmap". Available at https://pauljerimy.com/security-certification-roadmap</ref>]]<br />
<br />
=== Communication and Network Security===<br />
Communication and network security covers the ability to secure<br />
communication channels and networks. Topics include secure and converges<br />
protocols, wireless networks, cellular networks, hardware operations<br />
(warranty and redundant power), and third-party connectivity. IP<br />
networking are also included in this domain.<br />
===Identity and Access Management===<br />
The identity and access management domain covers the attacks that<br />
target the human gateway to gain access to data. Other topics include<br />
ways to identify users with rights to access the information and<br />
servers. Identity and access management covers the topics of<br />
applications, Single sign-on authentication, privilege escalation,<br />
Kerberos, rule-based or risk-based access control, proofing and<br />
establishment of identity.<br />
===Security Architecture and Engineering===<br />
The security architecture and engineering domain covers important<br />
topics concerning security engineering plans, designs and principles,<br />
Topics include assessing and mitigating information system<br />
vulnerabilities, fundamental concepts of security models and security<br />
architectures in critical areas like access control. Cloud systems,<br />
cryptography, system infiltrations (ransomware, fault-injection and<br />
more) and virtualized systems are also covered in this domain.<br />
===Asset Security===<br />
The Asset Security domain deals with the issues related to the<br />
collection, storage, maintenance, retention and destruction of data. It<br />
also covers knowledge of different roles regarding data handling (owner,<br />
controller and custodian) as well as data protection methods and data<br />
states. Other topics include resource provision, asset classification<br />
and data lifecycle management.<br />
===Security and Risk Management===<br />
The security and risk management domain covers general on skills<br />
related to the implementation of user awareness programs as well as<br />
security procedures. Emphasis is also placed on risk management<br />
concerning the acquisition of new services, hardware and software<br />
(supply chain). Other skills include social engineering defense<br />
mechanisms.<br />
===Security Assessment and Testing===<br />
The security assessment and testing domain deals with all the<br />
techniques and tools used to find system vulnerabilities, weaknesses and<br />
potential areas of concern not addressed by security procedures and<br />
policies. Attack simulations, vulnerability assessment, compliance<br />
checks, and ethical disclosure also fall under this domain.<br />
===Software Security===<br />
The software development security domain deals with implementing<br />
software-based security protocols within environment for which the IT<br />
professional is responsible. Risk analysis, vulnerability identification<br />
and auditing of source codes are all covered in this subset. Additional<br />
topics include software-designed security, maturity models, development<br />
methodologies, open-source and third-party development security.<br />
===Security operations===<br />
The security operations domain covers topics ranging from<br />
investigations and digital forensic to detection and intrusion<br />
prevention tools, sandboxing and firewalls. Topics include user and<br />
entity behavior analytics, threat intelligence (threat hunting and<br />
threat feeds) log management, artifacts (mobile, computer and network),<br />
machine learning and AI-based tools, penetration testing, and<br />
exploitation development. These for sub-domains are lister here.</p><br />
<li>Forensics</li><br />
<li>Incident Handling</li><br />
<li>Penetration Testing</li><br />
<li>Exploitation</li><br />
<br />
==Education==<br />
[[File:Analystimage7.png|400px|thumb|Comparison degree vs Certificate <ref>"Comparison Table". Available at https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</ref>]]<br />
The entry level monitoring specialist is hired by Estonian<br />
Information System Authority even if there is no formal IT education,<br />
but readiness to learn and moderate knowledge of different operation<br />
systems is enough to start the career. <ref name="cv">cv.ee, "SEIRESPETSIALIST - tule Eesti küberruumi valvuriks!". Available: https://www.cv.ee/en/vacancy/792782/riigi-infosusteemi-amet/seirespetsialist-tule-eesti-kuberruumi-valvuriks [Accessed 28 April 2022].</ref><br />
Nevertheless, like most other high qualification careers jobs falling<br />
under the cybersecurity specialist category require some form of formal<br />
education. However, since cybersecurity specialist jobs can fall across<br />
a wide spectrum of job descriptions and responsibilities, it is possible<br />
to obtain a specialist job after completing many levels of different<br />
computer related education.<br />
<br />
If one is looking for a cybersecurity related education, for example<br />
in EU, 137 courses/programs could be found that relate to keyword IT or<br />
cybersecurity. <ref name="enisa">ENISA (European Union Agency for Cybersecurity), "Cybersecurity Education-Cybersecurity Higher Education Database". Available: https://www.enisa.europa.eu/topics/cybersecurity-education/education-map/education-courses [Accessed 26 April 2022].</ref><br />
<br />
Also, there is a great amount of discussion, if cyber security<br />
professional should have a degree or would be certification just enough.<br />
One interesting table is produces by Franklin University that compares<br />
benefits and/or drawbacks of each type of credential.<ref name="franklin">Franklin University, "Is Getting a Master's Degree in Cyber Security Worth It?". Available: https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it [Accessed 28 April 2022].</ref><br />
<br />
Certifications are generally good for people with little practical<br />
experience because they are known quantities in the industry and can<br />
help you get your foot in the door. They set a minimum knowledge bar.<br />
But some certifications are viewed more favorably than others.<br />
Certifications with renewal requirements are viewed better by hiring<br />
managers, but they also more costly in the long run because of the need<br />
for continuing education. Certifications are also good for showing<br />
in-depth expertise in a specialization within cybersecurity. Depending<br />
on your career goals, it may be advantageous to have a master’s<br />
degree—which shows your breadth of knowledge, critical thinking and<br />
leadership skills—and a certificate—which shows specific skill<br />
competency.<ref name="franklin"></ref><br />
As IT (Cyber) Security is still a relatively young discipline,<br />
universities and colleges are still figuring out which is the best<br />
approach for their degrees. Study programmes and curricula in Cyber<br />
Security are different. In general, here are the duration of Cyber<br />
Security degrees:<br />
<ref name="studyportal">Studyportals, "Why You Should Study a Cyber Security Degree in 2022". Available: https://www.mastersportal.com/articles/2722/why-you-should-study-a-cyber-security-degree-in-2022.html [Accessed 28 April 2022].</ref><br />
<ul><br />
<li><p>Bachelor’s degrees in Cyber Security take 3 or 4 years in most<br />
countries.</p></li><br />
<li><p>Master’s courses in Cyber Security take between 1-2 years to<br />
complete.</p></li><br />
<li><p>PhD programmes in Cyber Security last 3-5 years. Some only take 1<br />
or 2 years, but they are less common.</p><br />
</li><br />
</ul><br />
<br />
Generalization could me made that on bachelor level the general<br />
knowledge about the cyber issues are obtained. On master level the<br />
specialization courses are taken and the person can choose more specific<br />
topics to study. It is on master level where strengths of the cyber<br />
specialist can be developed further and up-do date knowledge obtained in<br />
specifics. PhD is serious science and involves teaching, lot of<br />
scientific work and writing for publications.<br />
<br />
==Salary==<br />
<p>Even if the salary can be very different, compared to the skills and<br />
experience, an generalization can be made. Cyber Security professionals<br />
in CSIRT, and in other entities earn quite well, from the start. First,<br />
some comparison from the United States. The average CSIRT analyst salary<br />
in the USA is $97,500 per year or $50 per hour. Entry level positions<br />
start at $48,875 per year while most experienced workers make up to<br />
$135,373 per year.<ref name="talent">talent.com, "Csirt Analyst average salary in USA 2022". Available: https://www.talent.com/salary?job=csirt+analyst [Accessed 28 April 2022].</ref><br />
<br />
There are multiple positions you can occupy in this field. They have<br />
in common great salaries and high demand for technical skills, attention<br />
to details, problem-solving mentality, and the ability to analyze risks.<br />
Here are the average annual salaries in the United States, according to<br />
Payscale: <ref name="studyportal"></ref><br />
<ul><br />
<li><p>Cryptographer – 100,000 USD</p></li><br />
<li><p>Information Security Officer – 91,000 USD</p></li><br />
<li><p>Security Assessor – 90,000 USD</p></li><br />
<li><p>Security Engineer – 88,000 USD</p></li><br />
<li><p>Penetration Tester – 81,000 USD</p></li><br />
<li><p>Forensics Expert – 71,000 USD</p></li><br />
<li><p>Security Administrator – 65,000 USD</p><br />
</ul><br />
When looking into salaries in Estonia, one can find that there is a<br />
discussion that private sector is taking a toll from the public sector,<br />
and that the salaries in important agencies, as Information System<br />
Authority loose their employees to the better paid positions in private<br />
sector.<ref name="digigeenius">DiGi Geenius, "Kui-palju-riigi-jaoks-olulised-it-tootajad-tegelikult-palka-saavad". Available: https://digi.geenius.ee/rubriik/uudis/kui-palju-riigi-jaoks-olulised-it-tootajad-tegelikult-palka-saavad/ [Accessed 28 April 2022].</ref><br />
<ref name="tehnika">Postimees, "Riigi-it-tootajate-palgamaarad-kasvasid". Available: https://tehnika.postimees.ee/6887428/riigi-it-tootajate-palgamaarad-kasvasid [Accessed 28 April 2022].</ref><br />
But there is also a different view that average private sector worker<br />
could be hired as a top specialist in public sector and then the payment<br />
is higher. Nevertheless, it seems that the average payment in cyber<br />
security sector is any way higher that in other parts of the<br />
e-services. <ref name="digigeenius2">DiGi Geenius, "5000-eurostest-palkadest-it-tootajad-saavadki-palju-palka". Available: https://digi.geenius.ee/rubriik/uudis/5000-eurostest-palkadest-it-tootajad-saavadki-palju-palka [Accessed 28 April 2022].</ref><br />
<br />
==SOC==<br />
<p>A SOC is a facility where an organization’s network, applications,<br />
and endpoints are monitored and defended. The term was adapted from<br />
network operations centers (NOCs), where large telecommunication or<br />
corporate networks are monitored. When network security became more of a<br />
concern, security teams were formed within the NOCs, and eventually spun<br />
off into larger organizations of their own as the responsibilities of<br />
security teams grew increasingly complex and specialized. The security<br />
staff working in a security operations center are often called the SOC<br />
team.<ref name="exabeam">Exabeam, "CSIRT". Available: https://www.exabeam.com/incident-response/csirt/ [Accessed 28 APr 2022].</ref><br />
<br />
<p>Functions of the SOC team include, but are not limited to:<ref name="trellix">Trellix, "What Is a Security Operations Center (SOC)?". Available: https://www.trellix.com/en-us/security-awareness/operations/what-is-soc.html [Accessed 30 APr 2022].</ref></p><br />
<ol type="1"><br />
<li>Taking inventory of resources, to get a better understanding of the<br />
structure they are protecting.</li><br />
<li>Maintanence of the system, by constantly making updates and adding<br />
safeguards.</li><br />
<li>Monitoring the network for abnormalities with special tools.</li><br />
<li>Threat analysis of new attacks and vulnerabilities.</li><br />
<li>Responding to attacks, by acting as “first responders”. The SOC team<br />
will shut down and/or isolate endpoints, deleting files and lowering the<br />
impact as fast as possible.</li><br />
<li>Recovery of system stability and lost data. This may be done using<br />
backups, restarting endpoints or reconfiguring systems.</li><br />
<li>Logging all actions on the system, to be later used for analysis or<br />
forensics after an attack.</li><br />
<li>Investigating the root cause of an attack.</li><br />
<li>Auditing their own actions, to be in line with regulations of the<br />
organization, industry or governing body.</li><br />
</ol><br />
<br />
==CSIRT==<br />
<p>A CSIRT is a group that responds to security incidents when they<br />
occur. Key responsibilities of a CSIRT include:<br />
<ref name="exabeam"></ref><br />
===Creating and maintaining an incident response plan (IRP)===<br />
An incident response plan (IRP) is a set of written instructions for<br />
detecting, responding to and limiting the effects of an information<br />
security event. Incident response plans provide instructions for<br />
responding to many potential scenarios, including data breaches, denial<br />
of service/distributed denial of service attacks, firewall breaches,<br />
virus or malware outbreaks or insider threats. Without an incident<br />
response plan in place, organizations may either not detect the attack<br />
in the first place, or not follow proper protocol to contain the threat<br />
and recover from it when a breach is detected.<br />
<br />
https://www.stratacore.com/incidentresponseplan<br />
===Investigating and analyzing incidents===<br />
CSIRTs are also involved in improvement activities. After major<br />
computer security incidents occur, or when incidents are not handled in<br />
a timely or effective manner, a CSIRT will generally perform a<br />
postmortem of the incident and its response. This postmortem will<br />
identify the strengths and weakness of the response effort. Such reviews<br />
can identify weaknesses and holes in systems, infrastructure defenses,<br />
or policies that allowed the incident to take place. It can also<br />
identify problems with communication channels, interfaces, and<br />
procedures that inhibited the efficient resolution of the reported<br />
problem.<br />
<p>https://www.cisa.gov/uscert/bsi/articles/best-practices/incident-management/defining-computer-security-incident-response-teams</p><br />
<br />
===Managing internal communications and updates during or immediately after incidents occur===<br />
===Communicating with employees, shareholders, customers, and the press about incidents as needed===<br />
<p>There are various services within the CSIRT Services Framework that<br />
address communications, as they relate to security operations and<br />
incident response services. Some of these include Information Security<br />
Incident Coordination, Crisis Management Support, Vulnerability<br />
Disclosure, Situational Awareness Communication, and Awareness Building,<br />
to name a few. Sharing information and communicating with the general<br />
public and/or your constituency is appropriate in many different<br />
scenarios. These can range from proactive communications to reactive<br />
communications. Each scenario may be unique, and careful consideration<br />
should be given to when to release information to the public and what<br />
information should be released.</p><br />
<br />
<p>https://resources.sei.cmu.edu/asset_files/Handbook/2021_002_001_651819.pdf</p><br />
<br />
===Remediating incidents===<br />
Threat remediation is a strong and capable tool for fighting the<br />
cyber security compromises. As the word ‘remedy’ suggests, remediation<br />
process involves the treatment of a security breach. With the<br />
remediation practices, your cyber security team is able to eliminate<br />
suspicious activities and malicious attacks in the form of malware,<br />
ransomware, phishing and such. Even if you ‘kill’ the suspicious<br />
activity, the attackers can remain in your systems. If you want to<br />
contaminate and end the problem for good, your remediation processes<br />
must involve the detection of the cause. <ref name="logsign">Logsign, "What-is-remediation-in-cyber-security". Available: https://www.logsign.com/blog/what-is-remediation-in-cyber-security/. [Accessed 28 Apr 2022].</ref><br />
<br />
===Recommending technology, policy, governance, and training changes after security incidents===<br />
After all these actions, the SCIRT must contribute to the development<br />
of better policies, practices and has to recommend improvements. They<br />
are not working in the vacuum and their work has to create new and<br />
better standards for cyber security. <ref name="exabeam">Exabeam, "CSIRT". Available: https://www.exabeam.com/incident-response/csirt/ [Accessed 28 APr 2022].</ref><br />
<br />
==CERT==<br />
<p>The term “computer emergency response team” was coined in 1988. In<br />
response to the Morris worm attack that impacted thousands of servers on<br />
the Internet, DARPA funded the formation of the Computer Emergency<br />
Response Team Coordination Center (CERT-CC) at Carnegie Mellon<br />
University. The goal of CERT-CC was to help protect the internet by<br />
collecting and disseminating information on critical security<br />
vulnerabilities. Several other countries formed similar centers using<br />
the same acronym (despite threats of legal action by Carnegie Mellon for<br />
trademark infringement). Now the term CERT refers to any emergency<br />
response team that deals with cyber threats. Many people use CERT-CC<br />
interchangeably with CSIRT, though the charter of a CERT is information<br />
sharing in order to help other response teams respond to threats against<br />
their own infrastructure.</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<p>In general, the designation of CERT is helpful in applying real-world<br />
solutions to various cybersecurity problems. They may be government<br />
contractors or employees of a major corporation. For example, the U.S.<br />
Computer Emergency Readiness Team (US-CERT) operates under the U.S.<br />
Department of Homeland Security.</p><br />
<p>https://www.techopedia.com/definition/31003/computer-emergency-response-team-cert</p><br />
<p>In Estonia CERT is designated as CERT-EE. It was established in 2006,<br />
as an organization responsible for the management of security incidents<br />
in .ee computer networks. It is also a national contact point for<br />
international co-operation in the field of IT security.</p><br />
<p>https://www.ria.ee/en/cyber-security/cert-ee.html</p><br />
===Difference between SOC/CSIRT/CERT===<br />
<p>How CSIRTs differ from CERTs and SOCs There are overlapping<br />
responsibilities between a community emergency response team (CERT),<br />
computer security incident response team (CSIRT), and security<br />
operations center (SOC). To add to this confusion, frequently, the terms<br />
CERT and CSIRT are used interchangeably, despite the important<br />
differences.</p><br />
<figure><br />
<img src="images/image3.png" alt="Overlapping in images/image3.png" /><br />
<figcaption aria-hidden="true">Overlapping in<br />
images/image3.png</figcaption><br />
</figure><br />
==Understand the primary roles and characteristics of a CERT, CSIRT, and SOC.==<br />
<p>So, using strict definitions, a CERT collects and disseminates<br />
security information, typically for the benefit of a country or an<br />
industry. A CSIRT is a cross-functional team that responds to incidents<br />
on behalf of a country or an organization. A SOC is where a country or<br />
organization monitors and defends its network, servers, applications,<br />
and endpoints.</p><br />
<figure><br />
<img src="images/image4.png" alt="table of explanation images/image4" /><br />
<figcaption aria-hidden="true">table of explanation<br />
images/image4</figcaption><br />
</figure><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
==Future==<br />
<p>And the Cyber security problem is only getting bigger. According to a<br />
report published by Accenture, the number of cyber security breaches<br />
increased by 11 percent from 2017 to 2018. The cost of such breaches is<br />
astronomical–about $600 billion worldwide, according to the Economic<br />
Impact of Cybercrime report.</p><br />
<p>https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me</p><br />
<p>Job projections for cybersecurity are staggering. The Bureau of Labor<br />
Statistics in US predicts that careers in the cybersecurity field will<br />
grow by 32% by 2028. That makes cybersecurity one of the top 10<br />
fastest-growing jobs in the country. In the United States alone, jobs<br />
for Information Security Analysts are expected to grow by 15% by<br />
2024.</p><br />
<p>https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</p><br />
<p>Most likely this trend is also similar in other countries.</p><br />
<p>When checking Estonian job portals, there is a constant need for<br />
people for cyber security related positions. Also, linkedin search gives<br />
approximately 30 vacancies immediately. There are banks, logistics<br />
companies, e-shops, and software producers.</p><br />
<p>https://ee.linkedin.com/jobs/cyber-security-jobs?countryRedirected=1&amp;position=1&amp;pageNum=0</p><br />
<p>Trends that affect companies create need for constant cyber security<br />
services. Increasing number of home/remote offices require secure<br />
corporate networks and security of remote devices. One example is from<br />
this year, when sloppy remote desktop set-up paralyzed systems of 17<br />
companies.</p><br />
<p>https://www.aripaev.ee/uudised/2022/04/20/ria-lohakas-kaugtoolaua-seadistus-halvas-martsis-vahemalt-17-juhul-ettevotete-it-susteemid</p><br />
<p>Also, no service can exists without robust infrastructure - servers,<br />
databases, applications. As all previously mentioned devices and<br />
services are at constant scanning and surveillance. So, the breach<br />
detection and immediate action demands 24/7 services. Even if lot of<br />
things could be automated, there is a need for human specialists (at<br />
least, at the moment). Third growing field is also a forensic<br />
investigation, as every attack must be investigated in order to be ready<br />
to repel next attacks. So data recovery and evidence collection is<br />
another important field of work that need skilled and professional<br />
workers.</p><br />
<p>Even, if the specifics of the entity, be it CSIRT, CERT or SOC, are<br />
different, the fundamentals of the work are the same. Professional<br />
knowledge of the networks, operational systems, hardware, scripting, and<br />
several other wider IT related knowledge is needed. As there is no<br />
single way to reach to it, every single person can find one’s strongest<br />
sides and develop them with knowledge of weaker side, in order to know,<br />
when to as for help.</p><br />
<br />
</body><br />
</html></div>Mavaldhttps://wiki.itcollege.ee/index.php?title=Hiring_a_Cyber_Security_Incident_Analyst&diff=142240Hiring a Cyber Security Incident Analyst2022-05-01T15:52:43Z<p>Mavald: /* Certificates */</p>
<hr />
<div>==A Cyber Security Incident Analyst==<br />
<br />
[[File:image1.png|600px|thumb|Job advertisement <ref>"Job Advertisement". Available at https://www.projectpeople.com/jobs/</ref>]]<br />
===Cyber security incident analyst in SOC/CSIRT/CERT===<br />
This article delves into the job title of Cyber Security Incident<br />
Analyst and provides an overview of the acronyms SOC/CSIRT/CERT. A brief<br />
history of the job is discussed here, as well as a possible career path,<br />
education, experience, and other characteristics required for work in<br />
computer security-related organizations. The article also provides a<br />
brief history of SOC/CSIRT/CERT, as well as a comparison of their<br />
differences and similarities.<br />
===Cyber Security Incident Analyst Skill Set===<br />
What skill set is expected from the Cyber Security Incident Analyst? Below written lines are taken from the same job advertisement depicted<br />
on the left side of this article:<br />
As a Security Incident Analyst your responsibilities will include:<br />
<ul><br />
<li>Continuous monitoring of security tooling</li><br />
<li>Performing regular and ad-hoc vulnerability assessments</li><br />
<li>Carrying out ‘spot checks’</li><br />
<li>Reporting vulnerabilities to the PVG via the alerts system</li><br />
<li>Maintaining and documenting logging systems</li><br />
<li>Developing centralized logging, reporting and intelligence<br />
platforms</li><br />
<li>‘Light touch’ penetration testing with open source tooling<br />
(Metasploit)</li><br />
</ul><br />
Knowledge &amp; Experience required:<br />
<ul><br />
<li>SOC, CSIRT or CERT operational environment experience</li><br />
<li>Windows / Linux experience</li><br />
<li>TCP /IP networking protocol knowledge</li><br />
<li>Experience reviewing and analyzing Security Events from various<br />
monitoring and logging sources</li><br />
<li>Experience in website and web application security assessment or<br />
penetration testing</li><br />
<li>Experience of using Metasploit</li><br />
<li>Scripting knowledge using BASH, Python, Perl, Ruby</li><br />
<li>Skills in Host and Network Forensics</li><br />
</ul><br />
As one can see the description of the duties is wide and also the<br />
knowledge and experience that is required is noteworthy. So, where to<br />
start to find out the way to get this kind of knowledge and<br />
expertize.<br />
===Possible career path===<br />
Next part of the paper is aiming to depict a possible ways, how to<br />
develop oneself, and move along the career pathway in cybersecurity<br />
field. Topics of development, education, experience and certification<br />
are covered.<br />
[[File:analystimage2.png|1000px|thumb|Career path <ref>"Possible Career Path". Available at https://www.cyberseek.org/pathway.html</ref>]]<br />
<br />
===Junior/Senior===<br />
Start with an entry-level job in IT. Hands-on experience is often the<br />
most effective way to prepare for certification exams. Start<br />
accumulating work experience with an entry-level role as a cybersecurity<br />
analyst. Many cybersecurity professionals start off in more general IT<br />
roles. The skills, practices, and technologies you’ll use as a<br />
cybersecurity professional will continue to evolve along with computer<br />
and network technology. The desire to learn, ability to problem solve,<br />
and attention to detail will serve you well in this field. Other, more<br />
technical skills and technologies to learn include:<ref name="certification">Popular Cyber Security Certificates [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications [Accessed 25 April 2022].</ref><br />
<br />
====SIEM tools (security information and event management)====<br />
Security Information and Event Management (SIEM) is a set of tools<br />
and services offering a holistic view of an organization’s information<br />
security. SIEM works by combining two technologies:<br />
<li>Security information management (SIM), which collects data from log<br />
files for analysis and reports on security threats and events, and</li><br />
<li>security event management (SEM), which conducts real-time system<br />
monitoring, notifies network admins about important issues and<br />
establishes correlations between security events. There are a number of<br />
security information and event management solutions on the market.<br />
ArcSight ESM, IBM QRadar and Splunk are among the most popular. <ref name="SIEM">Application security, SIEM [Online]. Available: https://www.imperva.com/learn/application-security/siem/. [Accessed 27 4 2022].</ref></li><br />
<br />
====Firewalls, Intrusion Detection Systems (IDS), and Intrusion Prevention Systems(IPS)====<br />
Firewalls can be two types, hardware and software firewalls. Software<br />
firewall is a firewall that is installed on a computer or server, and<br />
tasked with network security. It works with a wide variety of other<br />
technology security solutions to provide more robust and cohesive<br />
security for enterprises of all sizes. When a software firewall is<br />
installed on a server, it opens up like an umbrella of protection over<br />
all other computers connected to the network. It is able to monitor both<br />
incoming and outgoing traffic for potential risk or suspicious user<br />
behavior, and also makes setting security policies much easier, faster<br />
and more flexible. Hardware firewall is positioned between the network<br />
and devices, allowing traffic to funnel through the firewall for a close<br />
inspection and analysis. A hardware firewall, a term often<br />
interchangeable with network or next-generation firewall, protects the<br />
network gateways for an enterprise. Hardware firewall is physical<br />
hardware, installed between network elements and connected devices, and<br />
is tasked with filtering traffic for cyber threat to the network or<br />
devices. Filtering out unauthorized or suspicious users based on traffic<br />
analysis is one of the biggest benefits of hardware firewall. <ref name="sangfor">Sangfor, "What is Software Firewall? Difference between Hardware Firewall and Software Firewall, [Online]. Available: https://www.sangfor.com/blog/cybersecurity/what-is-software-firewall-difference-between-hardware-firewall-and-software-firewall [Accessed 26 4 2022].</ref><br />
<br />
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems<br />
(IPS) are both parts of the network infrastructure. IDS/IPS compare<br />
network packets to a cyberthreat database containing known signatures of<br />
cyberattacks — and flag any matching packets. IDS doesn’t alter the<br />
network packets in any way, whereas IPS prevents the packet from<br />
delivery based on the contents of the packet, much like how a firewall<br />
prevents traffic by IP address. <ref name="Varonis">Varonis, "What is Software Firewall? IDS vs. IPS: What is the Difference?, [Online]. Available: https://www.varonis.com/blog/ids-vs-ips [Accessed 26 4 2022].</ref><br />
<br />
====Digital forensics====<br />
Digital forensics is a branch of forensic science that focuses on<br />
identifying, acquiring, processing, analyzing, and reporting on data<br />
stored electronically. Electronic evidence is a component of almost all<br />
criminal activities and digital forensics support is crucial for law<br />
enforcement investigations. Electronic evidence can be collected from a<br />
wide array of sources, such as computers, smartphones, remote storage,<br />
unmanned aerial systems, shipborne equipment, and more.<ref name="interpol">Interpol, "Digital forensics". Available: https://www.interpol.int/How-we-work/Innovation/Digital-forensics. [Accessed 28 4 2022].</ref> <br />
Investigative process of digital forensics can be divided into several stages. There are four major stages: preservation, collection,<br />
examination, and analysis. All these four stages need a deep understanding of computers, technology across a broad spectrum, and cybersecurity principles and<br />
practices, a working knowledge of computers, networks, and coding, in-depth investigative abilities, critical-thinking skills and analytical talent the ability to effectively communicate and work with a<br />
wide range of people. <ref name="ecpi">"Digital forensics". Available: https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me. [Accessed 26 4 2022].</ref><br />
<br />
====Mobile device management====<br />
Mobile device management (MDM) is software that allows IT<br />
administrators to control, secure and enforce policies on smartphones,<br />
tablets and other endpoints. Mobile device management software emerged<br />
in the early 2000s as a way to control and secure the personal digital<br />
assistants and smartphones that business workers began to use. The<br />
consumer smartphone boom that started with the launch of the Apple<br />
iPhone in 2007 led to the bring your own device (BYOD) trend, which<br />
fueled further interest in MDM.<ref name="techtarget">Techtarget, "Mobile Device Management". Available: https://www.techtarget.com/searchmobilecomputing/definition/mobile-device-management [Accessed 27 4 2022].</ref><br />
<br />
====Data management====<br />
Sometimes the data management is neglected, but this part has a<br />
crucial role when learning for good cyber security practices. Majority<br />
of cyber security programs include a special courses on data management.<br />
Data management is a method of organizing and maintaining data processes<br />
that are required in almost every business operations. The benefits of<br />
data management can be found accounting, statistics, logistics planning<br />
and other disciplines including corporate computing.<ref name="GlobalUni">Global Universities, "MSc Data Management and Cyber Security". Available: https://globaluniversities.in/msc-data-management-cyber-security. [Accessed 26 Apr 2022].</ref><br />
Data governance (and management) play a fundamental role in<br />
protecting an organization’s data. Ensuring that the right people have<br />
the right access and that appropriate security controls are in place to<br />
protect each system or service, based on the criticality or sensitivity<br />
of the data sets these contain. <ref name="CyberMagazine">Cyber Security Magazine, "The Role of Data Governance in Cybersecurity". Available: https://cybersecurity-magazine.com/the-role-of-data-governance-in-cybersecurity/?utm_source=rss&amp;utm_medium=rss&amp;utm_campaign=the-role-of-data-governance-in-cybersecurity. [Accessed 26 Apr 2022].</ref><br />
<br />
====Application security development====<br />
Application security describes security measures at the application<br />
level that aim to prevent data or code within the app from being stolen<br />
or hijacked. It encompasses the security considerations that happen<br />
during application development and design, but it also involves systems<br />
and approaches to protect apps after they get deployed. Application<br />
security may include hardware, software, and procedures that identify or<br />
minimize security vulnerabilities.<ref name="vmware">VmWare, "What is application security?". Available: https://www.vmware.com/topics/glossary/content/application-security.html [Accessed 28 April 2022].</ref><br />
Application security development is important to ensure that your<br />
application is free from coding errors and bugs. And controls the risk<br />
and helps safeguard against security vulnerabilities. Application<br />
security development is the process of making applications more secure<br />
by finding and fixing security vulnerabilities. This is often done by<br />
enforcing software security best practices and using application<br />
security testing tools. <br />
<ref name="perforce">Perforce, "Application Security Development Best Practices". Available: https://www.perforce.com/blog/kw/application-security-development-best-practices. [Accessed 28 April 2022].</ref><br />
<br />
====Audit and compliance knowledge====<br />
A cyber security audit is designed to be a comprehensive review and<br />
analysis of your business’s IT infrastructure. It identifies threats and<br />
vulnerabilities, exposing weaknesses and high-risk practices.<br />
Regulations such as the EU GDPR (General Data Protection Regulation) can<br />
impose hefty penalties in the event of a breach that results in<br />
exploited data. A cyber security audit will help mitigate the<br />
consequences of a breach and demonstrate that your organization has<br />
taken the necessary steps to protect client and company data. <ref name="cyforsecure">Cyfor Secure, "What is a Cyber Security Audit and how can it help your organisation?". Available: https://cyforsecure.co.uk/services/cyber-assessment/cyber-security-audit/. [Accessed 28 April 2022].</ref><br />
<br />
Cybersecurity compliance is the organizational risk management method<br />
aligned with pre-defined security measures &amp; controls on how data<br />
confidentiality is ensured by its administrative procedures.<ref name="nordlayer">NordLayer, "Cybersecurity compliance: Everything you need to know". Available: https://nordlayer.com/blog/cybersecurity-compliance-everything-you-need-to-know/. [Accessed 28 April 2022].</ref><br />
All needed skills are developed through courses and certification.<br />
<br />
===Entry-Level Incident Response Positions===<br />
It is not always possible to advance to the position of incident<br />
responder in a straight line. Many professionals advance from entry- to<br />
mid-level positions before becoming a real incident responder or a<br />
member of a computer emergency response team (CERT).<br /><br />
These are some examples: <ref name="Infosec">Infosec, "Incident Responder Career Roadmap: From Entry Level to Executive". Available: https://resources.infosecinstitute.com/topic/incident-responder-career-roadmap-entry-level-executive/ [Accessed 28 April 2022].</ref></p><br />
<ul><br />
<li><h5 id="network-administrator">Network administrator</h5><br />
<p>This position’s experience will help potential incident responders<br />
develop networking skills. Attention to detail, as well as the ability<br />
to sift through system configurations, site layouts, and general network<br />
and communication setups, are essential in this field.</p></li><br />
<li><h5 id="system-administrator">System administrator</h5><br />
<p>Another crucial beginning point for an incident responder is to learn<br />
how to manage resources inside your organization as well as user<br />
behavior. Understanding the potential damage that users, inadequate<br />
security setups, and ineffective IT policies and procedures can cause on<br />
your network can provide prospective candidates with insight into the<br />
human component of an incident.</p></li><br />
<li><h5 id="security-administrator">Security administrator</h5><br />
<p>In such a position, basic hacking skills, penetration testing, and<br />
intrusion detection are all learned, which are crucial incident<br />
responder skills when trying to replicate a breach or attack.<br />
Understanding the paths a cybercriminal will take when attempting to<br />
damage or obtain access to a system can greatly simplify the work of<br />
reverse engineering the incident.</p></li><br />
</ul><br />
<br />
=== Mid-Level Incident Response Positions ===<br />
<ul><br />
<li><h5<br />
id="computer-security-incident-response-team-csirt-engineer">Computer<br />
security incident response team (CSIRT) engineer</h5></li><br />
<li><h5 id="cyber-incident-responder">Cyber incident responder</h5></li><br />
<li><h5 id="incident-response-engineer">Incident response<br />
engineer</h5></li><br />
</ul><br />
<p>While each of these positions is different, they generally require<br />
very similar skills and characteristics in a candidate. At this level,<br />
personal characteristics such as problem solving, time management, and<br />
even presentation skills become more crucial as one’s career evolves<br />
into a management-facing role.</p><br />
<p>Technical skills include the ability to identify and minimize threats<br />
while maintaining communication with management and the rest of your<br />
team. Data analysis and evidence gathering become increasingly crucial,<br />
and the circumstances in which your services are deployed get more<br />
serious.</p><br />
Problem-solving skills are crucial at this level of incident<br />
response, and as the stakes rise, so does the pressure in each<br />
situation. At this level, programming abilities are essential since<br />
incident responders may be needed to reverse engineer malicious code or<br />
even create patches for vulnerable network applications or services. <ref name="coursera">Coursera, "10 Popular Cybersecurity Certifications [2022 Updated]". Available: https://www.coursera.org/articles/popular-cybersecurity-certifications [Accessed 28 April 2022].</ref><br />
<br />
===Senior-Level Incident Response Positions===<br />
<ul><br />
<li><h5 id="intrusion-detection-specialist">Intrusion detection<br />
specialist:</h5></li><br />
</ul><br />
<p>A CISSP certification might help a potential candidate in preparing<br />
for the profession. The role of an intrusion detection specialist is to<br />
find and stop any unwanted communications.</p><br />
<ul><br />
<li><h5 id="incident-manager">Incident manager:</h5></li><br />
</ul><br />
Expected to plan, oversee, manage, and supervise all incident<br />
response team actions. Is in charge of reporting all current events to<br />
senior management and stakeholders, as well as acting as the technical<br />
lead on active incidents for incident responders. Prepares threat and<br />
impact assessments and reports them known to management.<ref name="coursera"></ref><br />
<br />
==Certificates== <br />
There is a vast number of different certificates and the road map to<br />
being a certified professional could be very different<ref name="Coursera">Coursera, "10 Popular Cybersecurity Certifications [2022 Updated]," [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications. [Accessed 30 Apr 2022].</ref><br />
<ref name="NICCS">NICCS, "Cybersecurity Certifications," [Online]. Available: hhttps://niccs.cisa.gov/about-niccs/cybersecurity-certifications. [Accessed 30 Apr 2022].</ref> . One possible<br />
approach is to start with basic certificates from the different branches<br />
of service and move to more specific and demanding focused<br />
certification. Also, some jobs require certain clearances, either from<br />
industry, or from the government. One small selection of different<br />
possible certificates is brought out in following paragraphs.<br />
<br />
Security+ is a CompTIA certification that is considered a basic cert<br />
among cybersecurity professionals. It covers the topics of risk<br />
management and threat assessment.<br />
Network+ is also offered by CompTIA this certification (like the name<br />
implies) focuses on networking infrastructure and operations. It is<br />
considered a foundational certification.<br />
The Certified Information Systems Security Professional (CISSP) is a<br />
more advanced certification designed for cybersecurity professionals<br />
with at least five years of work experience. The certification covers<br />
topics such as architecture, engineering, and management.</p><br />
The Certified Ethical Hacker (CEH) certification is also considered a<br />
more advanced cert because it generally requires that applicants have<br />
multiple years of work experience. The goal of an ethical hacker<br />
certification is to be able to understand how cyber attacks unfold in<br />
order to improve threat assessment and mitigation skills.<ref name="cyberguide">Cybersecurity Guide, "How to become a cybersecurity specialist", [Online]. Available: https://cybersecurityguide.org/careers/security-specialist/. [Accessed 27 April 2022].</ref><br />
This is definitely not all, when one looks for more information, following link could be searched, to get more in depth knowledge about<br />
different possibilities. <br />
Hereby, with the help of this matrix a possible taxonomy of different 436 listed certificates in branches are<br />
presented.<ref name="Pauljeremy">"Cybersecurity Roadmap," [Online]. Available: https://pauljerimy.com/2020/10/12/scr-oct-2020-update/. [Accessed 30 Apr 2022].</ref><br />
<br />
[[File:analystimage5.png|1000px|thumb|Certificate matrix <ref>"Certification roadmap". Available at https://pauljerimy.com/security-certification-roadmap</ref>]]<br />
<br />
=== Communication and Network Security===<br />
Communication and network security covers the ability to secure<br />
communication channels and networks. Topics include secure and converges<br />
protocols, wireless networks, cellular networks, hardware operations<br />
(warranty and redundant power), and third-party connectivity. IP<br />
networking are also included in this domain.<br />
===Identity and Access Management===<br />
The identity and access management domain covers the attacks that<br />
target the human gateway to gain access to data. Other topics include<br />
ways to identify users with rights to access the information and<br />
servers. Identity and access management covers the topics of<br />
applications, Single sign-on authentication, privilege escalation,<br />
Kerberos, rule-based or risk-based access control, proofing and<br />
establishment of identity.<br />
===Security Architecture and Engineering===<br />
The security architecture and engineering domain covers important<br />
topics concerning security engineering plans, designs and principles,<br />
Topics include assessing and mitigating information system<br />
vulnerabilities, fundamental concepts of security models and security<br />
architectures in critical areas like access control. Cloud systems,<br />
cryptography, system infiltrations (ransomware, fault-injection and<br />
more) and virtualized systems are also covered in this domain.<br />
===Asset Security===<br />
The Asset Security domain deals with the issues related to the<br />
collection, storage, maintenance, retention and destruction of data. It<br />
also covers knowledge of different roles regarding data handling (owner,<br />
controller and custodian) as well as data protection methods and data<br />
states. Other topics include resource provision, asset classification<br />
and data lifecycle management.<br />
===Security and Risk Management===<br />
The security and risk management domain covers general on skills<br />
related to the implementation of user awareness programs as well as<br />
security procedures. Emphasis is also placed on risk management<br />
concerning the acquisition of new services, hardware and software<br />
(supply chain). Other skills include social engineering defense<br />
mechanisms.<br />
===Security Assessment and Testing===<br />
The security assessment and testing domain deals with all the<br />
techniques and tools used to find system vulnerabilities, weaknesses and<br />
potential areas of concern not addressed by security procedures and<br />
policies. Attack simulations, vulnerability assessment, compliance<br />
checks, and ethical disclosure also fall under this domain.<br />
===Software Security===<br />
The software development security domain deals with implementing<br />
software-based security protocols within environment for which the IT<br />
professional is responsible. Risk analysis, vulnerability identification<br />
and auditing of source codes are all covered in this subset. Additional<br />
topics include software-designed security, maturity models, development<br />
methodologies, open-source and third-party development security.<br />
===Security operations===<br />
The security operations domain covers topics ranging from<br />
investigations and digital forensic to detection and intrusion<br />
prevention tools, sandboxing and firewalls. Topics include user and<br />
entity behavior analytics, threat intelligence (threat hunting and<br />
threat feeds) log management, artifacts (mobile, computer and network),<br />
machine learning and AI-based tools, penetration testing, and<br />
exploitation development. These for sub-domains are lister here.</p><br />
<li>Forensics</li><br />
<li>Incident Handling</li><br />
<li>Penetration Testing</li><br />
<li>Exploitation</li><br />
<br />
==Education==<br />
[[File:Analystimage7.png|400px|thumb|Comparison degree vs Certificate <ref>"Comparison Table". Available at https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</ref>]]<br />
The entry level monitoring specialist is hired by Estonian<br />
Information System Authority even if there is no formal IT education,<br />
but readiness to learn and moderate knowledge of different operation<br />
systems is enough to start the career. <ref name="cv">cv.ee, "SEIRESPETSIALIST - tule Eesti küberruumi valvuriks!". Available: https://www.cv.ee/en/vacancy/792782/riigi-infosusteemi-amet/seirespetsialist-tule-eesti-kuberruumi-valvuriks [Accessed 28 April 2022].</ref><br />
Nevertheless, like most other high qualification careers jobs falling<br />
under the cybersecurity specialist category require some form of formal<br />
education. However, since cybersecurity specialist jobs can fall across<br />
a wide spectrum of job descriptions and responsibilities, it is possible<br />
to obtain a specialist job after completing many levels of different<br />
computer related education.<br />
<br />
If one is looking for a cybersecurity related education, for example<br />
in EU, 137 courses/programs could be found that relate to keyword IT or<br />
cybersecurity. <ref name="enisa">ENISA (European Union Agency for Cybersecurity), "Cybersecurity Education-Cybersecurity Higher Education Database". Available: https://www.enisa.europa.eu/topics/cybersecurity-education/education-map/education-courses [Accessed 26 April 2022].</ref><br />
<br />
Also, there is a great amount of discussion, if cyber security<br />
professional should have a degree or would be certification just enough.<br />
One interesting table is produces by Franklin University that compares<br />
benefits and/or drawbacks of each type of credential.<ref name="franklin">Franklin University, "Is Getting a Master's Degree in Cyber Security Worth It?". Available: https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it [Accessed 28 April 2022].</ref><br />
<br />
Certifications are generally good for people with little practical<br />
experience because they are known quantities in the industry and can<br />
help you get your foot in the door. They set a minimum knowledge bar.<br />
But some certifications are viewed more favorably than others.<br />
Certifications with renewal requirements are viewed better by hiring<br />
managers, but they also more costly in the long run because of the need<br />
for continuing education. Certifications are also good for showing<br />
in-depth expertise in a specialization within cybersecurity. Depending<br />
on your career goals, it may be advantageous to have a master’s<br />
degree—which shows your breadth of knowledge, critical thinking and<br />
leadership skills—and a certificate—which shows specific skill<br />
competency.<ref name="franklin"></ref><br />
As IT (Cyber) Security is still a relatively young discipline,<br />
universities and colleges are still figuring out which is the best<br />
approach for their degrees. Study programmes and curricula in Cyber<br />
Security are different. In general, here are the duration of Cyber<br />
Security degrees:<br />
<ref name="studyportal">Studyportals, "Why You Should Study a Cyber Security Degree in 2022". Available: https://www.mastersportal.com/articles/2722/why-you-should-study-a-cyber-security-degree-in-2022.html [Accessed 28 April 2022].</ref><br />
<ul><br />
<li><p>Bachelor’s degrees in Cyber Security take 3 or 4 years in most<br />
countries.</p></li><br />
<li><p>Master’s courses in Cyber Security take between 1-2 years to<br />
complete.</p></li><br />
<li><p>PhD programmes in Cyber Security last 3-5 years. Some only take 1<br />
or 2 years, but they are less common.</p><br />
</li><br />
</ul><br />
<br />
Generalization could me made that on bachelor level the general<br />
knowledge about the cyber issues are obtained. On master level the<br />
specialization courses are taken and the person can choose more specific<br />
topics to study. It is on master level where strengths of the cyber<br />
specialist can be developed further and up-do date knowledge obtained in<br />
specifics. PhD is serious science and involves teaching, lot of<br />
scientific work and writing for publications.<br />
<br />
==Salary==<br />
<p>Even if the salary can be very different, compared to the skills and<br />
experience, an generalization can be made. Cyber Security professionals<br />
in CSIRT, and in other entities earn quite well, from the start. First,<br />
some comparison from the United States. The average CSIRT analyst salary<br />
in the USA is $97,500 per year or $50 per hour. Entry level positions<br />
start at $48,875 per year while most experienced workers make up to<br />
$135,373 per year.<ref name="talent">talent.com, "Csirt Analyst average salary in USA 2022". Available: https://www.talent.com/salary?job=csirt+analyst [Accessed 28 April 2022].</ref><br />
<br />
There are multiple positions you can occupy in this field. They have<br />
in common great salaries and high demand for technical skills, attention<br />
to details, problem-solving mentality, and the ability to analyze risks.<br />
Here are the average annual salaries in the United States, according to<br />
Payscale: <ref name="studyportal"></ref><br />
<ul><br />
<li><p>Cryptographer – 100,000 USD</p></li><br />
<li><p>Information Security Officer – 91,000 USD</p></li><br />
<li><p>Security Assessor – 90,000 USD</p></li><br />
<li><p>Security Engineer – 88,000 USD</p></li><br />
<li><p>Penetration Tester – 81,000 USD</p></li><br />
<li><p>Forensics Expert – 71,000 USD</p></li><br />
<li><p>Security Administrator – 65,000 USD</p><br />
</ul><br />
When looking into salaries in Estonia, one can find that there is a<br />
discussion that private sector is taking a toll from the public sector,<br />
and that the salaries in important agencies, as Information System<br />
Authority loose their employees to the better paid positions in private<br />
sector.<ref name="digigeenius">DiGi Geenius, "Kui-palju-riigi-jaoks-olulised-it-tootajad-tegelikult-palka-saavad". Available: https://digi.geenius.ee/rubriik/uudis/kui-palju-riigi-jaoks-olulised-it-tootajad-tegelikult-palka-saavad/ [Accessed 28 April 2022].</ref><br />
<ref name="tehnika">Postimees, "Riigi-it-tootajate-palgamaarad-kasvasid". Available: https://tehnika.postimees.ee/6887428/riigi-it-tootajate-palgamaarad-kasvasid [Accessed 28 April 2022].</ref><br />
But there is also a different view that average private sector worker<br />
could be hired as a top specialist in public sector and then the payment<br />
is higher. Nevertheless, it seems that the average payment in cyber<br />
security sector is any way higher that in other parts of the<br />
e-services. <ref name="digigeenius2">DiGi Geenius, "5000-eurostest-palkadest-it-tootajad-saavadki-palju-palka". Available: https://digi.geenius.ee/rubriik/uudis/5000-eurostest-palkadest-it-tootajad-saavadki-palju-palka [Accessed 28 April 2022].</ref><br />
<br />
==SOC==<br />
<p>A SOC is a facility where an organization’s network, applications,<br />
and endpoints are monitored and defended. The term was adapted from<br />
network operations centers (NOCs), where large telecommunication or<br />
corporate networks are monitored. When network security became more of a<br />
concern, security teams were formed within the NOCs, and eventually spun<br />
off into larger organizations of their own as the responsibilities of<br />
security teams grew increasingly complex and specialized. The security<br />
staff working in a security operations center are often called the SOC<br />
team.<ref name="exabeam">Exabeam, "CSIRT". Available: https://www.exabeam.com/incident-response/csirt/ [Accessed 28 APr 2022].</ref><br />
<br />
<p>Functions of the SOC team include, but are not limited to:<ref name="trellix">Trellix, "What Is a Security Operations Center (SOC)?". Available: https://www.trellix.com/en-us/security-awareness/operations/what-is-soc.html [Accessed 30 APr 2022].</ref></p><br />
<ol type="1"><br />
<li>Taking inventory of resources, to get a better understanding of the<br />
structure they are protecting.</li><br />
<li>Maintanence of the system, by constantly making updates and adding<br />
safeguards.</li><br />
<li>Monitoring the network for abnormalities with special tools.</li><br />
<li>Threat analysis of new attacks and vulnerabilities.</li><br />
<li>Responding to attacks, by acting as “first responders”. The SOC team<br />
will shut down and/or isolate endpoints, deleting files and lowering the<br />
impact as fast as possible.</li><br />
<li>Recovery of system stability and lost data. This may be done using<br />
backups, restarting endpoints or reconfiguring systems.</li><br />
<li>Logging all actions on the system, to be later used for analysis or<br />
forensics after an attack.</li><br />
<li>Investigating the root cause of an attack.</li><br />
<li>Auditing their own actions, to be in line with regulations of the<br />
organization, industry or governing body.</li><br />
</ol><br />
<br />
==CSIRT==<br />
<p>A CSIRT is a group that responds to security incidents when they<br />
occur. Key responsibilities of a CSIRT include:<br />
<ref name="exabeam"></ref><br />
===Creating and maintaining an incident response plan (IRP)===<br />
An incident response plan (IRP) is a set of written instructions for<br />
detecting, responding to and limiting the effects of an information<br />
security event. Incident response plans provide instructions for<br />
responding to many potential scenarios, including data breaches, denial<br />
of service/distributed denial of service attacks, firewall breaches,<br />
virus or malware outbreaks or insider threats. Without an incident<br />
response plan in place, organizations may either not detect the attack<br />
in the first place, or not follow proper protocol to contain the threat<br />
and recover from it when a breach is detected.<br />
<br />
https://www.stratacore.com/incidentresponseplan<br />
===Investigating and analyzing incidents===<br />
CSIRTs are also involved in improvement activities. After major<br />
computer security incidents occur, or when incidents are not handled in<br />
a timely or effective manner, a CSIRT will generally perform a<br />
postmortem of the incident and its response. This postmortem will<br />
identify the strengths and weakness of the response effort. Such reviews<br />
can identify weaknesses and holes in systems, infrastructure defenses,<br />
or policies that allowed the incident to take place. It can also<br />
identify problems with communication channels, interfaces, and<br />
procedures that inhibited the efficient resolution of the reported<br />
problem.<br />
<p>https://www.cisa.gov/uscert/bsi/articles/best-practices/incident-management/defining-computer-security-incident-response-teams</p><br />
<br />
===Managing internal communications and updates during or immediately after incidents occur===<br />
===Communicating with employees, shareholders, customers, and the press about incidents as needed===<br />
<p>There are various services within the CSIRT Services Framework that<br />
address communications, as they relate to security operations and<br />
incident response services. Some of these include Information Security<br />
Incident Coordination, Crisis Management Support, Vulnerability<br />
Disclosure, Situational Awareness Communication, and Awareness Building,<br />
to name a few. Sharing information and communicating with the general<br />
public and/or your constituency is appropriate in many different<br />
scenarios. These can range from proactive communications to reactive<br />
communications. Each scenario may be unique, and careful consideration<br />
should be given to when to release information to the public and what<br />
information should be released.</p><br />
<br />
<p>https://resources.sei.cmu.edu/asset_files/Handbook/2021_002_001_651819.pdf</p><br />
<br />
===Remediating incidents===<br />
Threat remediation is a strong and capable tool for fighting the<br />
cyber security compromises. As the word ‘remedy’ suggests, remediation<br />
process involves the treatment of a security breach. With the<br />
remediation practices, your cyber security team is able to eliminate<br />
suspicious activities and malicious attacks in the form of malware,<br />
ransomware, phishing and such. Even if you ‘kill’ the suspicious<br />
activity, the attackers can remain in your systems. If you want to<br />
contaminate and end the problem for good, your remediation processes<br />
must involve the detection of the cause. <ref name="logsign">Logsign, "What-is-remediation-in-cyber-security". Available: https://www.logsign.com/blog/what-is-remediation-in-cyber-security/. [Accessed 28 Apr 2022].</ref><br />
<br />
===Recommending technology, policy, governance, and training changes after security incidents===<br />
After all these actions, the SCIRT must contribute to the development<br />
of better policies, practices and has to recommend improvements. They<br />
are not working in the vacuum and their work has to create new and<br />
better standards for cyber security. <ref name="exabeam">Exabeam, "CSIRT". Available: https://www.exabeam.com/incident-response/csirt/ [Accessed 28 APr 2022].</ref><br />
<br />
==CERT==<br />
<p>The term “computer emergency response team” was coined in 1988. In<br />
response to the Morris worm attack that impacted thousands of servers on<br />
the Internet, DARPA funded the formation of the Computer Emergency<br />
Response Team Coordination Center (CERT-CC) at Carnegie Mellon<br />
University. The goal of CERT-CC was to help protect the internet by<br />
collecting and disseminating information on critical security<br />
vulnerabilities. Several other countries formed similar centers using<br />
the same acronym (despite threats of legal action by Carnegie Mellon for<br />
trademark infringement). Now the term CERT refers to any emergency<br />
response team that deals with cyber threats. Many people use CERT-CC<br />
interchangeably with CSIRT, though the charter of a CERT is information<br />
sharing in order to help other response teams respond to threats against<br />
their own infrastructure.</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<p>In general, the designation of CERT is helpful in applying real-world<br />
solutions to various cybersecurity problems. They may be government<br />
contractors or employees of a major corporation. For example, the U.S.<br />
Computer Emergency Readiness Team (US-CERT) operates under the U.S.<br />
Department of Homeland Security.</p><br />
<p>https://www.techopedia.com/definition/31003/computer-emergency-response-team-cert</p><br />
<p>In Estonia CERT is designated as CERT-EE. It was established in 2006,<br />
as an organization responsible for the management of security incidents<br />
in .ee computer networks. It is also a national contact point for<br />
international co-operation in the field of IT security.</p><br />
<p>https://www.ria.ee/en/cyber-security/cert-ee.html</p><br />
===Difference between SOC/CSIRT/CERT===<br />
<p>How CSIRTs differ from CERTs and SOCs There are overlapping<br />
responsibilities between a community emergency response team (CERT),<br />
computer security incident response team (CSIRT), and security<br />
operations center (SOC). To add to this confusion, frequently, the terms<br />
CERT and CSIRT are used interchangeably, despite the important<br />
differences.</p><br />
<figure><br />
<img src="images/image3.png" alt="Overlapping in images/image3.png" /><br />
<figcaption aria-hidden="true">Overlapping in<br />
images/image3.png</figcaption><br />
</figure><br />
==Understand the primary roles and characteristics of a CERT, CSIRT, and SOC.==<br />
<p>So, using strict definitions, a CERT collects and disseminates<br />
security information, typically for the benefit of a country or an<br />
industry. A CSIRT is a cross-functional team that responds to incidents<br />
on behalf of a country or an organization. A SOC is where a country or<br />
organization monitors and defends its network, servers, applications,<br />
and endpoints.</p><br />
<figure><br />
<img src="images/image4.png" alt="table of explanation images/image4" /><br />
<figcaption aria-hidden="true">table of explanation<br />
images/image4</figcaption><br />
</figure><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
==Future==<br />
<p>And the Cyber security problem is only getting bigger. According to a<br />
report published by Accenture, the number of cyber security breaches<br />
increased by 11 percent from 2017 to 2018. The cost of such breaches is<br />
astronomical–about $600 billion worldwide, according to the Economic<br />
Impact of Cybercrime report.</p><br />
<p>https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me</p><br />
<p>Job projections for cybersecurity are staggering. The Bureau of Labor<br />
Statistics in US predicts that careers in the cybersecurity field will<br />
grow by 32% by 2028. That makes cybersecurity one of the top 10<br />
fastest-growing jobs in the country. In the United States alone, jobs<br />
for Information Security Analysts are expected to grow by 15% by<br />
2024.</p><br />
<p>https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</p><br />
<p>Most likely this trend is also similar in other countries.</p><br />
<p>When checking Estonian job portals, there is a constant need for<br />
people for cyber security related positions. Also, linkedin search gives<br />
approximately 30 vacancies immediately. There are banks, logistics<br />
companies, e-shops, and software producers.</p><br />
<p>https://ee.linkedin.com/jobs/cyber-security-jobs?countryRedirected=1&amp;position=1&amp;pageNum=0</p><br />
<p>Trends that affect companies create need for constant cyber security<br />
services. Increasing number of home/remote offices require secure<br />
corporate networks and security of remote devices. One example is from<br />
this year, when sloppy remote desktop set-up paralyzed systems of 17<br />
companies.</p><br />
<p>https://www.aripaev.ee/uudised/2022/04/20/ria-lohakas-kaugtoolaua-seadistus-halvas-martsis-vahemalt-17-juhul-ettevotete-it-susteemid</p><br />
<p>Also, no service can exists without robust infrastructure - servers,<br />
databases, applications. As all previously mentioned devices and<br />
services are at constant scanning and surveillance. So, the breach<br />
detection and immediate action demands 24/7 services. Even if lot of<br />
things could be automated, there is a need for human specialists (at<br />
least, at the moment). Third growing field is also a forensic<br />
investigation, as every attack must be investigated in order to be ready<br />
to repel next attacks. So data recovery and evidence collection is<br />
another important field of work that need skilled and professional<br />
workers.</p><br />
<p>Even, if the specifics of the entity, be it CSIRT, CERT or SOC, are<br />
different, the fundamentals of the work are the same. Professional<br />
knowledge of the networks, operational systems, hardware, scripting, and<br />
several other wider IT related knowledge is needed. As there is no<br />
single way to reach to it, every single person can find one’s strongest<br />
sides and develop them with knowledge of weaker side, in order to know,<br />
when to as for help.</p><br />
<br />
</body><br />
</html></div>Mavaldhttps://wiki.itcollege.ee/index.php?title=Hiring_a_Cyber_Security_Incident_Analyst&diff=142234Hiring a Cyber Security Incident Analyst2022-05-01T15:49:56Z<p>Mavald: /* CSIRT */</p>
<hr />
<div>==A Cyber Security Incident Analyst==<br />
<br />
[[File:image1.png|600px|thumb|Job advertisement <ref>"Job Advertisement". Available at https://www.projectpeople.com/jobs/</ref>]]<br />
===Cyber security incident analyst in SOC/CSIRT/CERT===<br />
This article delves into the job title of Cyber Security Incident<br />
Analyst and provides an overview of the acronyms SOC/CSIRT/CERT. A brief<br />
history of the job is discussed here, as well as a possible career path,<br />
education, experience, and other characteristics required for work in<br />
computer security-related organizations. The article also provides a<br />
brief history of SOC/CSIRT/CERT, as well as a comparison of their<br />
differences and similarities.<br />
===Cyber Security Incident Analyst Skill Set===<br />
What skill set is expected from the Cyber Security Incident Analyst? Below written lines are taken from the same job advertisement depicted<br />
on the left side of this article:<br />
As a Security Incident Analyst your responsibilities will include:<br />
<ul><br />
<li>Continuous monitoring of security tooling</li><br />
<li>Performing regular and ad-hoc vulnerability assessments</li><br />
<li>Carrying out ‘spot checks’</li><br />
<li>Reporting vulnerabilities to the PVG via the alerts system</li><br />
<li>Maintaining and documenting logging systems</li><br />
<li>Developing centralized logging, reporting and intelligence<br />
platforms</li><br />
<li>‘Light touch’ penetration testing with open source tooling<br />
(Metasploit)</li><br />
</ul><br />
Knowledge &amp; Experience required:<br />
<ul><br />
<li>SOC, CSIRT or CERT operational environment experience</li><br />
<li>Windows / Linux experience</li><br />
<li>TCP /IP networking protocol knowledge</li><br />
<li>Experience reviewing and analyzing Security Events from various<br />
monitoring and logging sources</li><br />
<li>Experience in website and web application security assessment or<br />
penetration testing</li><br />
<li>Experience of using Metasploit</li><br />
<li>Scripting knowledge using BASH, Python, Perl, Ruby</li><br />
<li>Skills in Host and Network Forensics</li><br />
</ul><br />
As one can see the description of the duties is wide and also the<br />
knowledge and experience that is required is noteworthy. So, where to<br />
start to find out the way to get this kind of knowledge and<br />
expertize.<br />
===Possible career path===<br />
Next part of the paper is aiming to depict a possible ways, how to<br />
develop oneself, and move along the career pathway in cybersecurity<br />
field. Topics of development, education, experience and certification<br />
are covered.<br />
[[File:analystimage2.png|1000px|thumb|Career path <ref>"Possible Career Path". Available at https://www.cyberseek.org/pathway.html</ref>]]<br />
<br />
===Junior/Senior===<br />
Start with an entry-level job in IT. Hands-on experience is often the<br />
most effective way to prepare for certification exams. Start<br />
accumulating work experience with an entry-level role as a cybersecurity<br />
analyst. Many cybersecurity professionals start off in more general IT<br />
roles. The skills, practices, and technologies you’ll use as a<br />
cybersecurity professional will continue to evolve along with computer<br />
and network technology. The desire to learn, ability to problem solve,<br />
and attention to detail will serve you well in this field. Other, more<br />
technical skills and technologies to learn include:<ref name="certification">Popular Cyber Security Certificates [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications [Accessed 25 April 2022].</ref><br />
<br />
====SIEM tools (security information and event management)====<br />
Security Information and Event Management (SIEM) is a set of tools<br />
and services offering a holistic view of an organization’s information<br />
security. SIEM works by combining two technologies:<br />
<li>Security information management (SIM), which collects data from log<br />
files for analysis and reports on security threats and events, and</li><br />
<li>security event management (SEM), which conducts real-time system<br />
monitoring, notifies network admins about important issues and<br />
establishes correlations between security events. There are a number of<br />
security information and event management solutions on the market.<br />
ArcSight ESM, IBM QRadar and Splunk are among the most popular. <ref name="SIEM">Application security, SIEM [Online]. Available: https://www.imperva.com/learn/application-security/siem/. [Accessed 27 4 2022].</ref></li><br />
<br />
====Firewalls, Intrusion Detection Systems (IDS), and Intrusion Prevention Systems(IPS)====<br />
Firewalls can be two types, hardware and software firewalls. Software<br />
firewall is a firewall that is installed on a computer or server, and<br />
tasked with network security. It works with a wide variety of other<br />
technology security solutions to provide more robust and cohesive<br />
security for enterprises of all sizes. When a software firewall is<br />
installed on a server, it opens up like an umbrella of protection over<br />
all other computers connected to the network. It is able to monitor both<br />
incoming and outgoing traffic for potential risk or suspicious user<br />
behavior, and also makes setting security policies much easier, faster<br />
and more flexible. Hardware firewall is positioned between the network<br />
and devices, allowing traffic to funnel through the firewall for a close<br />
inspection and analysis. A hardware firewall, a term often<br />
interchangeable with network or next-generation firewall, protects the<br />
network gateways for an enterprise. Hardware firewall is physical<br />
hardware, installed between network elements and connected devices, and<br />
is tasked with filtering traffic for cyber threat to the network or<br />
devices. Filtering out unauthorized or suspicious users based on traffic<br />
analysis is one of the biggest benefits of hardware firewall. <ref name="sangfor">Sangfor, "What is Software Firewall? Difference between Hardware Firewall and Software Firewall, [Online]. Available: https://www.sangfor.com/blog/cybersecurity/what-is-software-firewall-difference-between-hardware-firewall-and-software-firewall [Accessed 26 4 2022].</ref><br />
<br />
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems<br />
(IPS) are both parts of the network infrastructure. IDS/IPS compare<br />
network packets to a cyberthreat database containing known signatures of<br />
cyberattacks — and flag any matching packets. IDS doesn’t alter the<br />
network packets in any way, whereas IPS prevents the packet from<br />
delivery based on the contents of the packet, much like how a firewall<br />
prevents traffic by IP address. <ref name="Varonis">Varonis, "What is Software Firewall? IDS vs. IPS: What is the Difference?, [Online]. Available: https://www.varonis.com/blog/ids-vs-ips [Accessed 26 4 2022].</ref><br />
<br />
====Digital forensics====<br />
Digital forensics is a branch of forensic science that focuses on<br />
identifying, acquiring, processing, analyzing, and reporting on data<br />
stored electronically. Electronic evidence is a component of almost all<br />
criminal activities and digital forensics support is crucial for law<br />
enforcement investigations. Electronic evidence can be collected from a<br />
wide array of sources, such as computers, smartphones, remote storage,<br />
unmanned aerial systems, shipborne equipment, and more.<ref name="interpol">Interpol, "Digital forensics". Available: https://www.interpol.int/How-we-work/Innovation/Digital-forensics. [Accessed 28 4 2022].</ref> <br />
Investigative process of digital forensics can be divided into several stages. There are four major stages: preservation, collection,<br />
examination, and analysis. All these four stages need a deep understanding of computers, technology across a broad spectrum, and cybersecurity principles and<br />
practices, a working knowledge of computers, networks, and coding, in-depth investigative abilities, critical-thinking skills and analytical talent the ability to effectively communicate and work with a<br />
wide range of people. <ref name="ecpi">"Digital forensics". Available: https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me. [Accessed 26 4 2022].</ref><br />
<br />
====Mobile device management====<br />
Mobile device management (MDM) is software that allows IT<br />
administrators to control, secure and enforce policies on smartphones,<br />
tablets and other endpoints. Mobile device management software emerged<br />
in the early 2000s as a way to control and secure the personal digital<br />
assistants and smartphones that business workers began to use. The<br />
consumer smartphone boom that started with the launch of the Apple<br />
iPhone in 2007 led to the bring your own device (BYOD) trend, which<br />
fueled further interest in MDM.<ref name="techtarget">Techtarget, "Mobile Device Management". Available: https://www.techtarget.com/searchmobilecomputing/definition/mobile-device-management [Accessed 27 4 2022].</ref><br />
<br />
====Data management====<br />
Sometimes the data management is neglected, but this part has a<br />
crucial role when learning for good cyber security practices. Majority<br />
of cyber security programs include a special courses on data management.<br />
Data management is a method of organizing and maintaining data processes<br />
that are required in almost every business operations. The benefits of<br />
data management can be found accounting, statistics, logistics planning<br />
and other disciplines including corporate computing.<ref name="GlobalUni">Global Universities, "MSc Data Management and Cyber Security". Available: https://globaluniversities.in/msc-data-management-cyber-security. [Accessed 26 Apr 2022].</ref><br />
Data governance (and management) play a fundamental role in<br />
protecting an organization’s data. Ensuring that the right people have<br />
the right access and that appropriate security controls are in place to<br />
protect each system or service, based on the criticality or sensitivity<br />
of the data sets these contain. <ref name="CyberMagazine">Cyber Security Magazine, "The Role of Data Governance in Cybersecurity". Available: https://cybersecurity-magazine.com/the-role-of-data-governance-in-cybersecurity/?utm_source=rss&amp;utm_medium=rss&amp;utm_campaign=the-role-of-data-governance-in-cybersecurity. [Accessed 26 Apr 2022].</ref><br />
<br />
====Application security development====<br />
Application security describes security measures at the application<br />
level that aim to prevent data or code within the app from being stolen<br />
or hijacked. It encompasses the security considerations that happen<br />
during application development and design, but it also involves systems<br />
and approaches to protect apps after they get deployed. Application<br />
security may include hardware, software, and procedures that identify or<br />
minimize security vulnerabilities.<ref name="vmware">VmWare, "What is application security?". Available: https://www.vmware.com/topics/glossary/content/application-security.html [Accessed 28 April 2022].</ref><br />
Application security development is important to ensure that your<br />
application is free from coding errors and bugs. And controls the risk<br />
and helps safeguard against security vulnerabilities. Application<br />
security development is the process of making applications more secure<br />
by finding and fixing security vulnerabilities. This is often done by<br />
enforcing software security best practices and using application<br />
security testing tools. <br />
<ref name="perforce">Perforce, "Application Security Development Best Practices". Available: https://www.perforce.com/blog/kw/application-security-development-best-practices. [Accessed 28 April 2022].</ref><br />
<br />
====Audit and compliance knowledge====<br />
A cyber security audit is designed to be a comprehensive review and<br />
analysis of your business’s IT infrastructure. It identifies threats and<br />
vulnerabilities, exposing weaknesses and high-risk practices.<br />
Regulations such as the EU GDPR (General Data Protection Regulation) can<br />
impose hefty penalties in the event of a breach that results in<br />
exploited data. A cyber security audit will help mitigate the<br />
consequences of a breach and demonstrate that your organization has<br />
taken the necessary steps to protect client and company data. <ref name="cyforsecure">Cyfor Secure, "What is a Cyber Security Audit and how can it help your organisation?". Available: https://cyforsecure.co.uk/services/cyber-assessment/cyber-security-audit/. [Accessed 28 April 2022].</ref><br />
<br />
Cybersecurity compliance is the organizational risk management method<br />
aligned with pre-defined security measures &amp; controls on how data<br />
confidentiality is ensured by its administrative procedures.<ref name="nordlayer">NordLayer, "Cybersecurity compliance: Everything you need to know". Available: https://nordlayer.com/blog/cybersecurity-compliance-everything-you-need-to-know/. [Accessed 28 April 2022].</ref><br />
All needed skills are developed through courses and certification.<br />
<br />
===Entry-Level Incident Response Positions===<br />
It is not always possible to advance to the position of incident<br />
responder in a straight line. Many professionals advance from entry- to<br />
mid-level positions before becoming a real incident responder or a<br />
member of a computer emergency response team (CERT).<br /><br />
These are some examples: <ref name="Infosec">Infosec, "Incident Responder Career Roadmap: From Entry Level to Executive". Available: https://resources.infosecinstitute.com/topic/incident-responder-career-roadmap-entry-level-executive/ [Accessed 28 April 2022].</ref></p><br />
<ul><br />
<li><h5 id="network-administrator">Network administrator</h5><br />
<p>This position’s experience will help potential incident responders<br />
develop networking skills. Attention to detail, as well as the ability<br />
to sift through system configurations, site layouts, and general network<br />
and communication setups, are essential in this field.</p></li><br />
<li><h5 id="system-administrator">System administrator</h5><br />
<p>Another crucial beginning point for an incident responder is to learn<br />
how to manage resources inside your organization as well as user<br />
behavior. Understanding the potential damage that users, inadequate<br />
security setups, and ineffective IT policies and procedures can cause on<br />
your network can provide prospective candidates with insight into the<br />
human component of an incident.</p></li><br />
<li><h5 id="security-administrator">Security administrator</h5><br />
<p>In such a position, basic hacking skills, penetration testing, and<br />
intrusion detection are all learned, which are crucial incident<br />
responder skills when trying to replicate a breach or attack.<br />
Understanding the paths a cybercriminal will take when attempting to<br />
damage or obtain access to a system can greatly simplify the work of<br />
reverse engineering the incident.</p></li><br />
</ul><br />
<br />
=== Mid-Level Incident Response Positions ===<br />
<ul><br />
<li><h5<br />
id="computer-security-incident-response-team-csirt-engineer">Computer<br />
security incident response team (CSIRT) engineer</h5></li><br />
<li><h5 id="cyber-incident-responder">Cyber incident responder</h5></li><br />
<li><h5 id="incident-response-engineer">Incident response<br />
engineer</h5></li><br />
</ul><br />
<p>While each of these positions is different, they generally require<br />
very similar skills and characteristics in a candidate. At this level,<br />
personal characteristics such as problem solving, time management, and<br />
even presentation skills become more crucial as one’s career evolves<br />
into a management-facing role.</p><br />
<p>Technical skills include the ability to identify and minimize threats<br />
while maintaining communication with management and the rest of your<br />
team. Data analysis and evidence gathering become increasingly crucial,<br />
and the circumstances in which your services are deployed get more<br />
serious.</p><br />
Problem-solving skills are crucial at this level of incident<br />
response, and as the stakes rise, so does the pressure in each<br />
situation. At this level, programming abilities are essential since<br />
incident responders may be needed to reverse engineer malicious code or<br />
even create patches for vulnerable network applications or services. <ref name="coursera">Coursera, "10 Popular Cybersecurity Certifications [2022 Updated]". Available: https://www.coursera.org/articles/popular-cybersecurity-certifications [Accessed 28 April 2022].</ref><br />
<br />
===Senior-Level Incident Response Positions===<br />
<ul><br />
<li><h5 id="intrusion-detection-specialist">Intrusion detection<br />
specialist:</h5></li><br />
</ul><br />
<p>A CISSP certification might help a potential candidate in preparing<br />
for the profession. The role of an intrusion detection specialist is to<br />
find and stop any unwanted communications.</p><br />
<ul><br />
<li><h5 id="incident-manager">Incident manager:</h5></li><br />
</ul><br />
Expected to plan, oversee, manage, and supervise all incident<br />
response team actions. Is in charge of reporting all current events to<br />
senior management and stakeholders, as well as acting as the technical<br />
lead on active incidents for incident responders. Prepares threat and<br />
impact assessments and reports them known to management.<ref name="coursera"></ref><br />
<br />
==Certificates== <br />
There is a vast number of different certificates and the road map to<br />
being a certified professional could be very different<ref name="Coursera">Coursera, "10 Popular Cybersecurity Certifications [2022 Updated]," [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications. [Accessed 30 Apr 2022].</ref><br />
<ref name="NICCS">NICCS, "Cybersecurity Certifications," [Online]. Available: hhttps://niccs.cisa.gov/about-niccs/cybersecurity-certifications. [Accessed 30 Apr 2022].</ref> . One possible<br />
approach is to start with basic certificates from the different branches<br />
of service and move to more specific and demanding focused<br />
certification. Also, some jobs require certain clearances, either from<br />
industry, or from the government. One small selection of different<br />
possible certificates is brought out in following paragraphs.<br />
<br />
Security+ is a CompTIA certification that is considered a basic cert<br />
among cybersecurity professionals. It covers the topics of risk<br />
management and threat assessment.<br />
Network+ is also offered by CompTIA this certification (like the name<br />
implies) focuses on networking infrastructure and operations. It is<br />
considered a foundational certification.<br />
The Certified Information Systems Security Professional (CISSP) is a<br />
more advanced certification designed for cybersecurity professionals<br />
with at least five years of work experience. The certification covers<br />
topics such as architecture, engineering, and management.</p><br />
The Certified Ethical Hacker (CEH) certification is also considered a<br />
more advanced cert because it generally requires that applicants have<br />
multiple years of work experience. The goal of an ethical hacker<br />
certification is to be able to understand how cyber attacks unfold in<br />
order to improve threat assessment and mitigation skills.<ref name="cyberguide">Cybersecurity Guide, "How to become a cybersecurity specialist", [Online]. Available: https://cybersecurityguide.org/careers/security-specialist/. [Accessed 27 April 2022].</ref><br />
This is definitely not all, when one looks for more information, following link could be searched, to get more in depth knowledge about<br />
different possibilities. Hereby, with the help of this matrix a possible taxonomy of different 436 listed certificates in branches are<br />
presented.<ref name="Pauljeremy">"Cybersecurity Roadmap," [Online]. Available: https://pauljerimy.com/2020/10/12/scr-oct-2020-update/. [Accessed 30 Apr 2022].</ref><br />
<br />
[[File:analystimage5.png|1000px|thumb|Certificate matrix <ref>"Certification roadmap". Available at https://pauljerimy.com/security-certification-roadmap</ref>]]<br />
<br />
=== Communication and Network Security===<br />
Communication and network security covers the ability to secure<br />
communication channels and networks. Topics include secure and converges<br />
protocols, wireless networks, cellular networks, hardware operations<br />
(warranty and redundant power), and third-party connectivity. IP<br />
networking are also included in this domain.<br />
===Identity and Access Management===<br />
The identity and access management domain covers the attacks that<br />
target the human gateway to gain access to data. Other topics include<br />
ways to identify users with rights to access the information and<br />
servers. Identity and access management covers the topics of<br />
applications, Single sign-on authentication, privilege escalation,<br />
Kerberos, rule-based or risk-based access control, proofing and<br />
establishment of identity.<br />
===Security Architecture and Engineering===<br />
The security architecture and engineering domain covers important<br />
topics concerning security engineering plans, designs and principles,<br />
Topics include assessing and mitigating information system<br />
vulnerabilities, fundamental concepts of security models and security<br />
architectures in critical areas like access control. Cloud systems,<br />
cryptography, system infiltrations (ransomware, fault-injection and<br />
more) and virtualized systems are also covered in this domain.<br />
===Asset Security===<br />
The Asset Security domain deals with the issues related to the<br />
collection, storage, maintenance, retention and destruction of data. It<br />
also covers knowledge of different roles regarding data handling (owner,<br />
controller and custodian) as well as data protection methods and data<br />
states. Other topics include resource provision, asset classification<br />
and data lifecycle management.<br />
===Security and Risk Management===<br />
The security and risk management domain covers general on skills<br />
related to the implementation of user awareness programs as well as<br />
security procedures. Emphasis is also placed on risk management<br />
concerning the acquisition of new services, hardware and software<br />
(supply chain). Other skills include social engineering defense<br />
mechanisms.<br />
===Security Assessment and Testing===<br />
The security assessment and testing domain deals with all the<br />
techniques and tools used to find system vulnerabilities, weaknesses and<br />
potential areas of concern not addressed by security procedures and<br />
policies. Attack simulations, vulnerability assessment, compliance<br />
checks, and ethical disclosure also fall under this domain.<br />
===Software Security===<br />
The software development security domain deals with implementing<br />
software-based security protocols within environment for which the IT<br />
professional is responsible. Risk analysis, vulnerability identification<br />
and auditing of source codes are all covered in this subset. Additional<br />
topics include software-designed security, maturity models, development<br />
methodologies, open-source and third-party development security.<br />
===Security operations===<br />
The security operations domain covers topics ranging from<br />
investigations and digital forensic to detection and intrusion<br />
prevention tools, sandboxing and firewalls. Topics include user and<br />
entity behavior analytics, threat intelligence (threat hunting and<br />
threat feeds) log management, artifacts (mobile, computer and network),<br />
machine learning and AI-based tools, penetration testing, and<br />
exploitation development. These for sub-domains are lister here.</p><br />
<li>Forensics</li><br />
<li>Incident Handling</li><br />
<li>Penetration Testing</li><br />
<li>Exploitation</li><br />
<br />
==Education==<br />
[[File:Analystimage7.png|400px|thumb|Comparison degree vs Certificate <ref>"Comparison Table". Available at https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</ref>]]<br />
The entry level monitoring specialist is hired by Estonian<br />
Information System Authority even if there is no formal IT education,<br />
but readiness to learn and moderate knowledge of different operation<br />
systems is enough to start the career. <ref name="cv">cv.ee, "SEIRESPETSIALIST - tule Eesti küberruumi valvuriks!". Available: https://www.cv.ee/en/vacancy/792782/riigi-infosusteemi-amet/seirespetsialist-tule-eesti-kuberruumi-valvuriks [Accessed 28 April 2022].</ref><br />
Nevertheless, like most other high qualification careers jobs falling<br />
under the cybersecurity specialist category require some form of formal<br />
education. However, since cybersecurity specialist jobs can fall across<br />
a wide spectrum of job descriptions and responsibilities, it is possible<br />
to obtain a specialist job after completing many levels of different<br />
computer related education.<br />
<br />
If one is looking for a cybersecurity related education, for example<br />
in EU, 137 courses/programs could be found that relate to keyword IT or<br />
cybersecurity. <ref name="enisa">ENISA (European Union Agency for Cybersecurity), "Cybersecurity Education-Cybersecurity Higher Education Database". Available: https://www.enisa.europa.eu/topics/cybersecurity-education/education-map/education-courses [Accessed 26 April 2022].</ref><br />
<br />
Also, there is a great amount of discussion, if cyber security<br />
professional should have a degree or would be certification just enough.<br />
One interesting table is produces by Franklin University that compares<br />
benefits and/or drawbacks of each type of credential.<ref name="franklin">Franklin University, "Is Getting a Master's Degree in Cyber Security Worth It?". Available: https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it [Accessed 28 April 2022].</ref><br />
<br />
Certifications are generally good for people with little practical<br />
experience because they are known quantities in the industry and can<br />
help you get your foot in the door. They set a minimum knowledge bar.<br />
But some certifications are viewed more favorably than others.<br />
Certifications with renewal requirements are viewed better by hiring<br />
managers, but they also more costly in the long run because of the need<br />
for continuing education. Certifications are also good for showing<br />
in-depth expertise in a specialization within cybersecurity. Depending<br />
on your career goals, it may be advantageous to have a master’s<br />
degree—which shows your breadth of knowledge, critical thinking and<br />
leadership skills—and a certificate—which shows specific skill<br />
competency.<ref name="franklin"></ref><br />
As IT (Cyber) Security is still a relatively young discipline,<br />
universities and colleges are still figuring out which is the best<br />
approach for their degrees. Study programmes and curricula in Cyber<br />
Security are different. In general, here are the duration of Cyber<br />
Security degrees:<br />
<ref name="studyportal">Studyportals, "Why You Should Study a Cyber Security Degree in 2022". Available: https://www.mastersportal.com/articles/2722/why-you-should-study-a-cyber-security-degree-in-2022.html [Accessed 28 April 2022].</ref><br />
<ul><br />
<li><p>Bachelor’s degrees in Cyber Security take 3 or 4 years in most<br />
countries.</p></li><br />
<li><p>Master’s courses in Cyber Security take between 1-2 years to<br />
complete.</p></li><br />
<li><p>PhD programmes in Cyber Security last 3-5 years. Some only take 1<br />
or 2 years, but they are less common.</p><br />
</li><br />
</ul><br />
<br />
Generalization could me made that on bachelor level the general<br />
knowledge about the cyber issues are obtained. On master level the<br />
specialization courses are taken and the person can choose more specific<br />
topics to study. It is on master level where strengths of the cyber<br />
specialist can be developed further and up-do date knowledge obtained in<br />
specifics. PhD is serious science and involves teaching, lot of<br />
scientific work and writing for publications.<br />
<br />
==Salary==<br />
<p>Even if the salary can be very different, compared to the skills and<br />
experience, an generalization can be made. Cyber Security professionals<br />
in CSIRT, and in other entities earn quite well, from the start. First,<br />
some comparison from the United States. The average CSIRT analyst salary<br />
in the USA is $97,500 per year or $50 per hour. Entry level positions<br />
start at $48,875 per year while most experienced workers make up to<br />
$135,373 per year.<ref name="talent">talent.com, "Csirt Analyst average salary in USA 2022". Available: https://www.talent.com/salary?job=csirt+analyst [Accessed 28 April 2022].</ref><br />
<br />
There are multiple positions you can occupy in this field. They have<br />
in common great salaries and high demand for technical skills, attention<br />
to details, problem-solving mentality, and the ability to analyze risks.<br />
Here are the average annual salaries in the United States, according to<br />
Payscale: <ref name="studyportal"></ref><br />
<ul><br />
<li><p>Cryptographer – 100,000 USD</p></li><br />
<li><p>Information Security Officer – 91,000 USD</p></li><br />
<li><p>Security Assessor – 90,000 USD</p></li><br />
<li><p>Security Engineer – 88,000 USD</p></li><br />
<li><p>Penetration Tester – 81,000 USD</p></li><br />
<li><p>Forensics Expert – 71,000 USD</p></li><br />
<li><p>Security Administrator – 65,000 USD</p><br />
</ul><br />
When looking into salaries in Estonia, one can find that there is a<br />
discussion that private sector is taking a toll from the public sector,<br />
and that the salaries in important agencies, as Information System<br />
Authority loose their employees to the better paid positions in private<br />
sector.<ref name="digigeenius">DiGi Geenius, "Kui-palju-riigi-jaoks-olulised-it-tootajad-tegelikult-palka-saavad". Available: https://digi.geenius.ee/rubriik/uudis/kui-palju-riigi-jaoks-olulised-it-tootajad-tegelikult-palka-saavad/ [Accessed 28 April 2022].</ref><br />
<ref name="tehnika">Postimees, "Riigi-it-tootajate-palgamaarad-kasvasid". Available: https://tehnika.postimees.ee/6887428/riigi-it-tootajate-palgamaarad-kasvasid [Accessed 28 April 2022].</ref><br />
But there is also a different view that average private sector worker<br />
could be hired as a top specialist in public sector and then the payment<br />
is higher. Nevertheless, it seems that the average payment in cyber<br />
security sector is any way higher that in other parts of the<br />
e-services. <ref name="digigeenius2">DiGi Geenius, "5000-eurostest-palkadest-it-tootajad-saavadki-palju-palka". Available: https://digi.geenius.ee/rubriik/uudis/5000-eurostest-palkadest-it-tootajad-saavadki-palju-palka [Accessed 28 April 2022].</ref><br />
<br />
==SOC==<br />
<p>A SOC is a facility where an organization’s network, applications,<br />
and endpoints are monitored and defended. The term was adapted from<br />
network operations centers (NOCs), where large telecommunication or<br />
corporate networks are monitored. When network security became more of a<br />
concern, security teams were formed within the NOCs, and eventually spun<br />
off into larger organizations of their own as the responsibilities of<br />
security teams grew increasingly complex and specialized. The security<br />
staff working in a security operations center are often called the SOC<br />
team.<ref name="exabeam">Exabeam, "CSIRT". Available: https://www.exabeam.com/incident-response/csirt/ [Accessed 28 APr 2022].</ref><br />
<br />
<p>Functions of the SOC team include, but are not limited to:<ref name="trellix">Trellix, "What Is a Security Operations Center (SOC)?". Available: https://www.trellix.com/en-us/security-awareness/operations/what-is-soc.html [Accessed 30 APr 2022].</ref></p><br />
<ol type="1"><br />
<li>Taking inventory of resources, to get a better understanding of the<br />
structure they are protecting.</li><br />
<li>Maintanence of the system, by constantly making updates and adding<br />
safeguards.</li><br />
<li>Monitoring the network for abnormalities with special tools.</li><br />
<li>Threat analysis of new attacks and vulnerabilities.</li><br />
<li>Responding to attacks, by acting as “first responders”. The SOC team<br />
will shut down and/or isolate endpoints, deleting files and lowering the<br />
impact as fast as possible.</li><br />
<li>Recovery of system stability and lost data. This may be done using<br />
backups, restarting endpoints or reconfiguring systems.</li><br />
<li>Logging all actions on the system, to be later used for analysis or<br />
forensics after an attack.</li><br />
<li>Investigating the root cause of an attack.</li><br />
<li>Auditing their own actions, to be in line with regulations of the<br />
organization, industry or governing body.</li><br />
</ol><br />
<br />
==CSIRT==<br />
<p>A CSIRT is a group that responds to security incidents when they<br />
occur. Key responsibilities of a CSIRT include:<br />
<ref name="exabeam"></ref><br />
===Creating and maintaining an incident response plan (IRP)===<br />
An incident response plan (IRP) is a set of written instructions for<br />
detecting, responding to and limiting the effects of an information<br />
security event. Incident response plans provide instructions for<br />
responding to many potential scenarios, including data breaches, denial<br />
of service/distributed denial of service attacks, firewall breaches,<br />
virus or malware outbreaks or insider threats. Without an incident<br />
response plan in place, organizations may either not detect the attack<br />
in the first place, or not follow proper protocol to contain the threat<br />
and recover from it when a breach is detected.<br />
<br />
https://www.stratacore.com/incidentresponseplan<br />
===Investigating and analyzing incidents===<br />
CSIRTs are also involved in improvement activities. After major<br />
computer security incidents occur, or when incidents are not handled in<br />
a timely or effective manner, a CSIRT will generally perform a<br />
postmortem of the incident and its response. This postmortem will<br />
identify the strengths and weakness of the response effort. Such reviews<br />
can identify weaknesses and holes in systems, infrastructure defenses,<br />
or policies that allowed the incident to take place. It can also<br />
identify problems with communication channels, interfaces, and<br />
procedures that inhibited the efficient resolution of the reported<br />
problem.<br />
<p>https://www.cisa.gov/uscert/bsi/articles/best-practices/incident-management/defining-computer-security-incident-response-teams</p><br />
<br />
===Managing internal communications and updates during or immediately after incidents occur===<br />
===Communicating with employees, shareholders, customers, and the press about incidents as needed===<br />
<p>There are various services within the CSIRT Services Framework that<br />
address communications, as they relate to security operations and<br />
incident response services. Some of these include Information Security<br />
Incident Coordination, Crisis Management Support, Vulnerability<br />
Disclosure, Situational Awareness Communication, and Awareness Building,<br />
to name a few. Sharing information and communicating with the general<br />
public and/or your constituency is appropriate in many different<br />
scenarios. These can range from proactive communications to reactive<br />
communications. Each scenario may be unique, and careful consideration<br />
should be given to when to release information to the public and what<br />
information should be released.</p><br />
<br />
<p>https://resources.sei.cmu.edu/asset_files/Handbook/2021_002_001_651819.pdf</p><br />
<br />
===Remediating incidents===<br />
Threat remediation is a strong and capable tool for fighting the<br />
cyber security compromises. As the word ‘remedy’ suggests, remediation<br />
process involves the treatment of a security breach. With the<br />
remediation practices, your cyber security team is able to eliminate<br />
suspicious activities and malicious attacks in the form of malware,<br />
ransomware, phishing and such. Even if you ‘kill’ the suspicious<br />
activity, the attackers can remain in your systems. If you want to<br />
contaminate and end the problem for good, your remediation processes<br />
must involve the detection of the cause. <ref name="logsign">Logsign, "What-is-remediation-in-cyber-security". Available: https://www.logsign.com/blog/what-is-remediation-in-cyber-security/. [Accessed 28 Apr 2022].</ref><br />
<br />
===Recommending technology, policy, governance, and training changes after security incidents===<br />
After all these actions, the SCIRT must contribute to the development<br />
of better policies, practices and has to recommend improvements. They<br />
are not working in the vacuum and their work has to create new and<br />
better standards for cyber security. <ref name="exabeam">Exabeam, "CSIRT". Available: https://www.exabeam.com/incident-response/csirt/ [Accessed 28 APr 2022].</ref><br />
<br />
==CERT==<br />
<p>The term “computer emergency response team” was coined in 1988. In<br />
response to the Morris worm attack that impacted thousands of servers on<br />
the Internet, DARPA funded the formation of the Computer Emergency<br />
Response Team Coordination Center (CERT-CC) at Carnegie Mellon<br />
University. The goal of CERT-CC was to help protect the internet by<br />
collecting and disseminating information on critical security<br />
vulnerabilities. Several other countries formed similar centers using<br />
the same acronym (despite threats of legal action by Carnegie Mellon for<br />
trademark infringement). Now the term CERT refers to any emergency<br />
response team that deals with cyber threats. Many people use CERT-CC<br />
interchangeably with CSIRT, though the charter of a CERT is information<br />
sharing in order to help other response teams respond to threats against<br />
their own infrastructure.</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<p>In general, the designation of CERT is helpful in applying real-world<br />
solutions to various cybersecurity problems. They may be government<br />
contractors or employees of a major corporation. For example, the U.S.<br />
Computer Emergency Readiness Team (US-CERT) operates under the U.S.<br />
Department of Homeland Security.</p><br />
<p>https://www.techopedia.com/definition/31003/computer-emergency-response-team-cert</p><br />
<p>In Estonia CERT is designated as CERT-EE. It was established in 2006,<br />
as an organization responsible for the management of security incidents<br />
in .ee computer networks. It is also a national contact point for<br />
international co-operation in the field of IT security.</p><br />
<p>https://www.ria.ee/en/cyber-security/cert-ee.html</p><br />
===Difference between SOC/CSIRT/CERT===<br />
<p>How CSIRTs differ from CERTs and SOCs There are overlapping<br />
responsibilities between a community emergency response team (CERT),<br />
computer security incident response team (CSIRT), and security<br />
operations center (SOC). To add to this confusion, frequently, the terms<br />
CERT and CSIRT are used interchangeably, despite the important<br />
differences.</p><br />
<figure><br />
<img src="images/image3.png" alt="Overlapping in images/image3.png" /><br />
<figcaption aria-hidden="true">Overlapping in<br />
images/image3.png</figcaption><br />
</figure><br />
==Understand the primary roles and characteristics of a CERT, CSIRT, and SOC.==<br />
<p>So, using strict definitions, a CERT collects and disseminates<br />
security information, typically for the benefit of a country or an<br />
industry. A CSIRT is a cross-functional team that responds to incidents<br />
on behalf of a country or an organization. A SOC is where a country or<br />
organization monitors and defends its network, servers, applications,<br />
and endpoints.</p><br />
<figure><br />
<img src="images/image4.png" alt="table of explanation images/image4" /><br />
<figcaption aria-hidden="true">table of explanation<br />
images/image4</figcaption><br />
</figure><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
==Future==<br />
<p>And the Cyber security problem is only getting bigger. According to a<br />
report published by Accenture, the number of cyber security breaches<br />
increased by 11 percent from 2017 to 2018. The cost of such breaches is<br />
astronomical–about $600 billion worldwide, according to the Economic<br />
Impact of Cybercrime report.</p><br />
<p>https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me</p><br />
<p>Job projections for cybersecurity are staggering. The Bureau of Labor<br />
Statistics in US predicts that careers in the cybersecurity field will<br />
grow by 32% by 2028. That makes cybersecurity one of the top 10<br />
fastest-growing jobs in the country. In the United States alone, jobs<br />
for Information Security Analysts are expected to grow by 15% by<br />
2024.</p><br />
<p>https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</p><br />
<p>Most likely this trend is also similar in other countries.</p><br />
<p>When checking Estonian job portals, there is a constant need for<br />
people for cyber security related positions. Also, linkedin search gives<br />
approximately 30 vacancies immediately. There are banks, logistics<br />
companies, e-shops, and software producers.</p><br />
<p>https://ee.linkedin.com/jobs/cyber-security-jobs?countryRedirected=1&amp;position=1&amp;pageNum=0</p><br />
<p>Trends that affect companies create need for constant cyber security<br />
services. Increasing number of home/remote offices require secure<br />
corporate networks and security of remote devices. One example is from<br />
this year, when sloppy remote desktop set-up paralyzed systems of 17<br />
companies.</p><br />
<p>https://www.aripaev.ee/uudised/2022/04/20/ria-lohakas-kaugtoolaua-seadistus-halvas-martsis-vahemalt-17-juhul-ettevotete-it-susteemid</p><br />
<p>Also, no service can exists without robust infrastructure - servers,<br />
databases, applications. As all previously mentioned devices and<br />
services are at constant scanning and surveillance. So, the breach<br />
detection and immediate action demands 24/7 services. Even if lot of<br />
things could be automated, there is a need for human specialists (at<br />
least, at the moment). Third growing field is also a forensic<br />
investigation, as every attack must be investigated in order to be ready<br />
to repel next attacks. So data recovery and evidence collection is<br />
another important field of work that need skilled and professional<br />
workers.</p><br />
<p>Even, if the specifics of the entity, be it CSIRT, CERT or SOC, are<br />
different, the fundamentals of the work are the same. Professional<br />
knowledge of the networks, operational systems, hardware, scripting, and<br />
several other wider IT related knowledge is needed. As there is no<br />
single way to reach to it, every single person can find one’s strongest<br />
sides and develop them with knowledge of weaker side, in order to know,<br />
when to as for help.</p><br />
<br />
</body><br />
</html></div>Mavaldhttps://wiki.itcollege.ee/index.php?title=Hiring_a_Cyber_Security_Incident_Analyst&diff=142229Hiring a Cyber Security Incident Analyst2022-05-01T15:48:47Z<p>Mavald: /* SOC */</p>
<hr />
<div>==A Cyber Security Incident Analyst==<br />
<br />
[[File:image1.png|600px|thumb|Job advertisement <ref>"Job Advertisement". Available at https://www.projectpeople.com/jobs/</ref>]]<br />
===Cyber security incident analyst in SOC/CSIRT/CERT===<br />
This article delves into the job title of Cyber Security Incident<br />
Analyst and provides an overview of the acronyms SOC/CSIRT/CERT. A brief<br />
history of the job is discussed here, as well as a possible career path,<br />
education, experience, and other characteristics required for work in<br />
computer security-related organizations. The article also provides a<br />
brief history of SOC/CSIRT/CERT, as well as a comparison of their<br />
differences and similarities.<br />
===Cyber Security Incident Analyst Skill Set===<br />
What skill set is expected from the Cyber Security Incident Analyst? Below written lines are taken from the same job advertisement depicted<br />
on the left side of this article:<br />
As a Security Incident Analyst your responsibilities will include:<br />
<ul><br />
<li>Continuous monitoring of security tooling</li><br />
<li>Performing regular and ad-hoc vulnerability assessments</li><br />
<li>Carrying out ‘spot checks’</li><br />
<li>Reporting vulnerabilities to the PVG via the alerts system</li><br />
<li>Maintaining and documenting logging systems</li><br />
<li>Developing centralized logging, reporting and intelligence<br />
platforms</li><br />
<li>‘Light touch’ penetration testing with open source tooling<br />
(Metasploit)</li><br />
</ul><br />
Knowledge &amp; Experience required:<br />
<ul><br />
<li>SOC, CSIRT or CERT operational environment experience</li><br />
<li>Windows / Linux experience</li><br />
<li>TCP /IP networking protocol knowledge</li><br />
<li>Experience reviewing and analyzing Security Events from various<br />
monitoring and logging sources</li><br />
<li>Experience in website and web application security assessment or<br />
penetration testing</li><br />
<li>Experience of using Metasploit</li><br />
<li>Scripting knowledge using BASH, Python, Perl, Ruby</li><br />
<li>Skills in Host and Network Forensics</li><br />
</ul><br />
As one can see the description of the duties is wide and also the<br />
knowledge and experience that is required is noteworthy. So, where to<br />
start to find out the way to get this kind of knowledge and<br />
expertize.<br />
===Possible career path===<br />
Next part of the paper is aiming to depict a possible ways, how to<br />
develop oneself, and move along the career pathway in cybersecurity<br />
field. Topics of development, education, experience and certification<br />
are covered.<br />
[[File:analystimage2.png|1000px|thumb|Career path <ref>"Possible Career Path". Available at https://www.cyberseek.org/pathway.html</ref>]]<br />
<br />
===Junior/Senior===<br />
Start with an entry-level job in IT. Hands-on experience is often the<br />
most effective way to prepare for certification exams. Start<br />
accumulating work experience with an entry-level role as a cybersecurity<br />
analyst. Many cybersecurity professionals start off in more general IT<br />
roles. The skills, practices, and technologies you’ll use as a<br />
cybersecurity professional will continue to evolve along with computer<br />
and network technology. The desire to learn, ability to problem solve,<br />
and attention to detail will serve you well in this field. Other, more<br />
technical skills and technologies to learn include:<ref name="certification">Popular Cyber Security Certificates [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications [Accessed 25 April 2022].</ref><br />
<br />
====SIEM tools (security information and event management)====<br />
Security Information and Event Management (SIEM) is a set of tools<br />
and services offering a holistic view of an organization’s information<br />
security. SIEM works by combining two technologies:<br />
<li>Security information management (SIM), which collects data from log<br />
files for analysis and reports on security threats and events, and</li><br />
<li>security event management (SEM), which conducts real-time system<br />
monitoring, notifies network admins about important issues and<br />
establishes correlations between security events. There are a number of<br />
security information and event management solutions on the market.<br />
ArcSight ESM, IBM QRadar and Splunk are among the most popular. <ref name="SIEM">Application security, SIEM [Online]. Available: https://www.imperva.com/learn/application-security/siem/. [Accessed 27 4 2022].</ref></li><br />
<br />
====Firewalls, Intrusion Detection Systems (IDS), and Intrusion Prevention Systems(IPS)====<br />
Firewalls can be two types, hardware and software firewalls. Software<br />
firewall is a firewall that is installed on a computer or server, and<br />
tasked with network security. It works with a wide variety of other<br />
technology security solutions to provide more robust and cohesive<br />
security for enterprises of all sizes. When a software firewall is<br />
installed on a server, it opens up like an umbrella of protection over<br />
all other computers connected to the network. It is able to monitor both<br />
incoming and outgoing traffic for potential risk or suspicious user<br />
behavior, and also makes setting security policies much easier, faster<br />
and more flexible. Hardware firewall is positioned between the network<br />
and devices, allowing traffic to funnel through the firewall for a close<br />
inspection and analysis. A hardware firewall, a term often<br />
interchangeable with network or next-generation firewall, protects the<br />
network gateways for an enterprise. Hardware firewall is physical<br />
hardware, installed between network elements and connected devices, and<br />
is tasked with filtering traffic for cyber threat to the network or<br />
devices. Filtering out unauthorized or suspicious users based on traffic<br />
analysis is one of the biggest benefits of hardware firewall. <ref name="sangfor">Sangfor, "What is Software Firewall? Difference between Hardware Firewall and Software Firewall, [Online]. Available: https://www.sangfor.com/blog/cybersecurity/what-is-software-firewall-difference-between-hardware-firewall-and-software-firewall [Accessed 26 4 2022].</ref><br />
<br />
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems<br />
(IPS) are both parts of the network infrastructure. IDS/IPS compare<br />
network packets to a cyberthreat database containing known signatures of<br />
cyberattacks — and flag any matching packets. IDS doesn’t alter the<br />
network packets in any way, whereas IPS prevents the packet from<br />
delivery based on the contents of the packet, much like how a firewall<br />
prevents traffic by IP address. <ref name="Varonis">Varonis, "What is Software Firewall? IDS vs. IPS: What is the Difference?, [Online]. Available: https://www.varonis.com/blog/ids-vs-ips [Accessed 26 4 2022].</ref><br />
<br />
====Digital forensics====<br />
Digital forensics is a branch of forensic science that focuses on<br />
identifying, acquiring, processing, analyzing, and reporting on data<br />
stored electronically. Electronic evidence is a component of almost all<br />
criminal activities and digital forensics support is crucial for law<br />
enforcement investigations. Electronic evidence can be collected from a<br />
wide array of sources, such as computers, smartphones, remote storage,<br />
unmanned aerial systems, shipborne equipment, and more.<ref name="interpol">Interpol, "Digital forensics". Available: https://www.interpol.int/How-we-work/Innovation/Digital-forensics. [Accessed 28 4 2022].</ref> <br />
Investigative process of digital forensics can be divided into several stages. There are four major stages: preservation, collection,<br />
examination, and analysis. All these four stages need a deep understanding of computers, technology across a broad spectrum, and cybersecurity principles and<br />
practices, a working knowledge of computers, networks, and coding, in-depth investigative abilities, critical-thinking skills and analytical talent the ability to effectively communicate and work with a<br />
wide range of people. <ref name="ecpi">"Digital forensics". Available: https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me. [Accessed 26 4 2022].</ref><br />
<br />
====Mobile device management====<br />
Mobile device management (MDM) is software that allows IT<br />
administrators to control, secure and enforce policies on smartphones,<br />
tablets and other endpoints. Mobile device management software emerged<br />
in the early 2000s as a way to control and secure the personal digital<br />
assistants and smartphones that business workers began to use. The<br />
consumer smartphone boom that started with the launch of the Apple<br />
iPhone in 2007 led to the bring your own device (BYOD) trend, which<br />
fueled further interest in MDM.<ref name="techtarget">Techtarget, "Mobile Device Management". Available: https://www.techtarget.com/searchmobilecomputing/definition/mobile-device-management [Accessed 27 4 2022].</ref><br />
<br />
====Data management====<br />
Sometimes the data management is neglected, but this part has a<br />
crucial role when learning for good cyber security practices. Majority<br />
of cyber security programs include a special courses on data management.<br />
Data management is a method of organizing and maintaining data processes<br />
that are required in almost every business operations. The benefits of<br />
data management can be found accounting, statistics, logistics planning<br />
and other disciplines including corporate computing.<ref name="GlobalUni">Global Universities, "MSc Data Management and Cyber Security". Available: https://globaluniversities.in/msc-data-management-cyber-security. [Accessed 26 Apr 2022].</ref><br />
Data governance (and management) play a fundamental role in<br />
protecting an organization’s data. Ensuring that the right people have<br />
the right access and that appropriate security controls are in place to<br />
protect each system or service, based on the criticality or sensitivity<br />
of the data sets these contain. <ref name="CyberMagazine">Cyber Security Magazine, "The Role of Data Governance in Cybersecurity". Available: https://cybersecurity-magazine.com/the-role-of-data-governance-in-cybersecurity/?utm_source=rss&amp;utm_medium=rss&amp;utm_campaign=the-role-of-data-governance-in-cybersecurity. [Accessed 26 Apr 2022].</ref><br />
<br />
====Application security development====<br />
Application security describes security measures at the application<br />
level that aim to prevent data or code within the app from being stolen<br />
or hijacked. It encompasses the security considerations that happen<br />
during application development and design, but it also involves systems<br />
and approaches to protect apps after they get deployed. Application<br />
security may include hardware, software, and procedures that identify or<br />
minimize security vulnerabilities.<ref name="vmware">VmWare, "What is application security?". Available: https://www.vmware.com/topics/glossary/content/application-security.html [Accessed 28 April 2022].</ref><br />
Application security development is important to ensure that your<br />
application is free from coding errors and bugs. And controls the risk<br />
and helps safeguard against security vulnerabilities. Application<br />
security development is the process of making applications more secure<br />
by finding and fixing security vulnerabilities. This is often done by<br />
enforcing software security best practices and using application<br />
security testing tools. <br />
<ref name="perforce">Perforce, "Application Security Development Best Practices". Available: https://www.perforce.com/blog/kw/application-security-development-best-practices. [Accessed 28 April 2022].</ref><br />
<br />
====Audit and compliance knowledge====<br />
A cyber security audit is designed to be a comprehensive review and<br />
analysis of your business’s IT infrastructure. It identifies threats and<br />
vulnerabilities, exposing weaknesses and high-risk practices.<br />
Regulations such as the EU GDPR (General Data Protection Regulation) can<br />
impose hefty penalties in the event of a breach that results in<br />
exploited data. A cyber security audit will help mitigate the<br />
consequences of a breach and demonstrate that your organization has<br />
taken the necessary steps to protect client and company data. <ref name="cyforsecure">Cyfor Secure, "What is a Cyber Security Audit and how can it help your organisation?". Available: https://cyforsecure.co.uk/services/cyber-assessment/cyber-security-audit/. [Accessed 28 April 2022].</ref><br />
<br />
Cybersecurity compliance is the organizational risk management method<br />
aligned with pre-defined security measures &amp; controls on how data<br />
confidentiality is ensured by its administrative procedures.<ref name="nordlayer">NordLayer, "Cybersecurity compliance: Everything you need to know". Available: https://nordlayer.com/blog/cybersecurity-compliance-everything-you-need-to-know/. [Accessed 28 April 2022].</ref><br />
All needed skills are developed through courses and certification.<br />
<br />
===Entry-Level Incident Response Positions===<br />
It is not always possible to advance to the position of incident<br />
responder in a straight line. Many professionals advance from entry- to<br />
mid-level positions before becoming a real incident responder or a<br />
member of a computer emergency response team (CERT).<br /><br />
These are some examples: <ref name="Infosec">Infosec, "Incident Responder Career Roadmap: From Entry Level to Executive". Available: https://resources.infosecinstitute.com/topic/incident-responder-career-roadmap-entry-level-executive/ [Accessed 28 April 2022].</ref></p><br />
<ul><br />
<li><h5 id="network-administrator">Network administrator</h5><br />
<p>This position’s experience will help potential incident responders<br />
develop networking skills. Attention to detail, as well as the ability<br />
to sift through system configurations, site layouts, and general network<br />
and communication setups, are essential in this field.</p></li><br />
<li><h5 id="system-administrator">System administrator</h5><br />
<p>Another crucial beginning point for an incident responder is to learn<br />
how to manage resources inside your organization as well as user<br />
behavior. Understanding the potential damage that users, inadequate<br />
security setups, and ineffective IT policies and procedures can cause on<br />
your network can provide prospective candidates with insight into the<br />
human component of an incident.</p></li><br />
<li><h5 id="security-administrator">Security administrator</h5><br />
<p>In such a position, basic hacking skills, penetration testing, and<br />
intrusion detection are all learned, which are crucial incident<br />
responder skills when trying to replicate a breach or attack.<br />
Understanding the paths a cybercriminal will take when attempting to<br />
damage or obtain access to a system can greatly simplify the work of<br />
reverse engineering the incident.</p></li><br />
</ul><br />
<br />
=== Mid-Level Incident Response Positions ===<br />
<ul><br />
<li><h5<br />
id="computer-security-incident-response-team-csirt-engineer">Computer<br />
security incident response team (CSIRT) engineer</h5></li><br />
<li><h5 id="cyber-incident-responder">Cyber incident responder</h5></li><br />
<li><h5 id="incident-response-engineer">Incident response<br />
engineer</h5></li><br />
</ul><br />
<p>While each of these positions is different, they generally require<br />
very similar skills and characteristics in a candidate. At this level,<br />
personal characteristics such as problem solving, time management, and<br />
even presentation skills become more crucial as one’s career evolves<br />
into a management-facing role.</p><br />
<p>Technical skills include the ability to identify and minimize threats<br />
while maintaining communication with management and the rest of your<br />
team. Data analysis and evidence gathering become increasingly crucial,<br />
and the circumstances in which your services are deployed get more<br />
serious.</p><br />
Problem-solving skills are crucial at this level of incident<br />
response, and as the stakes rise, so does the pressure in each<br />
situation. At this level, programming abilities are essential since<br />
incident responders may be needed to reverse engineer malicious code or<br />
even create patches for vulnerable network applications or services. <ref name="coursera">Coursera, "10 Popular Cybersecurity Certifications [2022 Updated]". Available: https://www.coursera.org/articles/popular-cybersecurity-certifications [Accessed 28 April 2022].</ref><br />
<br />
===Senior-Level Incident Response Positions===<br />
<ul><br />
<li><h5 id="intrusion-detection-specialist">Intrusion detection<br />
specialist:</h5></li><br />
</ul><br />
<p>A CISSP certification might help a potential candidate in preparing<br />
for the profession. The role of an intrusion detection specialist is to<br />
find and stop any unwanted communications.</p><br />
<ul><br />
<li><h5 id="incident-manager">Incident manager:</h5></li><br />
</ul><br />
Expected to plan, oversee, manage, and supervise all incident<br />
response team actions. Is in charge of reporting all current events to<br />
senior management and stakeholders, as well as acting as the technical<br />
lead on active incidents for incident responders. Prepares threat and<br />
impact assessments and reports them known to management.<ref name="coursera"></ref><br />
<br />
==Certificates== <br />
There is a vast number of different certificates and the road map to<br />
being a certified professional could be very different<ref name="Coursera">Coursera, "10 Popular Cybersecurity Certifications [2022 Updated]," [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications. [Accessed 30 Apr 2022].</ref><br />
<ref name="NICCS">NICCS, "Cybersecurity Certifications," [Online]. Available: hhttps://niccs.cisa.gov/about-niccs/cybersecurity-certifications. [Accessed 30 Apr 2022].</ref> . One possible<br />
approach is to start with basic certificates from the different branches<br />
of service and move to more specific and demanding focused<br />
certification. Also, some jobs require certain clearances, either from<br />
industry, or from the government. One small selection of different<br />
possible certificates is brought out in following paragraphs.<br />
<br />
Security+ is a CompTIA certification that is considered a basic cert<br />
among cybersecurity professionals. It covers the topics of risk<br />
management and threat assessment.<br />
Network+ is also offered by CompTIA this certification (like the name<br />
implies) focuses on networking infrastructure and operations. It is<br />
considered a foundational certification.<br />
The Certified Information Systems Security Professional (CISSP) is a<br />
more advanced certification designed for cybersecurity professionals<br />
with at least five years of work experience. The certification covers<br />
topics such as architecture, engineering, and management.</p><br />
The Certified Ethical Hacker (CEH) certification is also considered a<br />
more advanced cert because it generally requires that applicants have<br />
multiple years of work experience. The goal of an ethical hacker<br />
certification is to be able to understand how cyber attacks unfold in<br />
order to improve threat assessment and mitigation skills.<ref name="cyberguide">Cybersecurity Guide, "How to become a cybersecurity specialist", [Online]. Available: https://cybersecurityguide.org/careers/security-specialist/. [Accessed 27 April 2022].</ref><br />
This is definitely not all, when one looks for more information, following link could be searched, to get more in depth knowledge about<br />
different possibilities. Hereby, with the help of this matrix a possible taxonomy of different 436 listed certificates in branches are<br />
presented.<ref name="Pauljeremy">"Cybersecurity Roadmap," [Online]. Available: https://pauljerimy.com/2020/10/12/scr-oct-2020-update/. [Accessed 30 Apr 2022].</ref><br />
<br />
[[File:analystimage5.png|1000px|thumb|Certificate matrix <ref>"Certification roadmap". Available at https://pauljerimy.com/security-certification-roadmap</ref>]]<br />
<br />
=== Communication and Network Security===<br />
Communication and network security covers the ability to secure<br />
communication channels and networks. Topics include secure and converges<br />
protocols, wireless networks, cellular networks, hardware operations<br />
(warranty and redundant power), and third-party connectivity. IP<br />
networking are also included in this domain.<br />
===Identity and Access Management===<br />
The identity and access management domain covers the attacks that<br />
target the human gateway to gain access to data. Other topics include<br />
ways to identify users with rights to access the information and<br />
servers. Identity and access management covers the topics of<br />
applications, Single sign-on authentication, privilege escalation,<br />
Kerberos, rule-based or risk-based access control, proofing and<br />
establishment of identity.<br />
===Security Architecture and Engineering===<br />
The security architecture and engineering domain covers important<br />
topics concerning security engineering plans, designs and principles,<br />
Topics include assessing and mitigating information system<br />
vulnerabilities, fundamental concepts of security models and security<br />
architectures in critical areas like access control. Cloud systems,<br />
cryptography, system infiltrations (ransomware, fault-injection and<br />
more) and virtualized systems are also covered in this domain.<br />
===Asset Security===<br />
The Asset Security domain deals with the issues related to the<br />
collection, storage, maintenance, retention and destruction of data. It<br />
also covers knowledge of different roles regarding data handling (owner,<br />
controller and custodian) as well as data protection methods and data<br />
states. Other topics include resource provision, asset classification<br />
and data lifecycle management.<br />
===Security and Risk Management===<br />
The security and risk management domain covers general on skills<br />
related to the implementation of user awareness programs as well as<br />
security procedures. Emphasis is also placed on risk management<br />
concerning the acquisition of new services, hardware and software<br />
(supply chain). Other skills include social engineering defense<br />
mechanisms.<br />
===Security Assessment and Testing===<br />
The security assessment and testing domain deals with all the<br />
techniques and tools used to find system vulnerabilities, weaknesses and<br />
potential areas of concern not addressed by security procedures and<br />
policies. Attack simulations, vulnerability assessment, compliance<br />
checks, and ethical disclosure also fall under this domain.<br />
===Software Security===<br />
The software development security domain deals with implementing<br />
software-based security protocols within environment for which the IT<br />
professional is responsible. Risk analysis, vulnerability identification<br />
and auditing of source codes are all covered in this subset. Additional<br />
topics include software-designed security, maturity models, development<br />
methodologies, open-source and third-party development security.<br />
===Security operations===<br />
The security operations domain covers topics ranging from<br />
investigations and digital forensic to detection and intrusion<br />
prevention tools, sandboxing and firewalls. Topics include user and<br />
entity behavior analytics, threat intelligence (threat hunting and<br />
threat feeds) log management, artifacts (mobile, computer and network),<br />
machine learning and AI-based tools, penetration testing, and<br />
exploitation development. These for sub-domains are lister here.</p><br />
<li>Forensics</li><br />
<li>Incident Handling</li><br />
<li>Penetration Testing</li><br />
<li>Exploitation</li><br />
<br />
==Education==<br />
[[File:Analystimage7.png|400px|thumb|Comparison degree vs Certificate <ref>"Comparison Table". Available at https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</ref>]]<br />
The entry level monitoring specialist is hired by Estonian<br />
Information System Authority even if there is no formal IT education,<br />
but readiness to learn and moderate knowledge of different operation<br />
systems is enough to start the career. <ref name="cv">cv.ee, "SEIRESPETSIALIST - tule Eesti küberruumi valvuriks!". Available: https://www.cv.ee/en/vacancy/792782/riigi-infosusteemi-amet/seirespetsialist-tule-eesti-kuberruumi-valvuriks [Accessed 28 April 2022].</ref><br />
Nevertheless, like most other high qualification careers jobs falling<br />
under the cybersecurity specialist category require some form of formal<br />
education. However, since cybersecurity specialist jobs can fall across<br />
a wide spectrum of job descriptions and responsibilities, it is possible<br />
to obtain a specialist job after completing many levels of different<br />
computer related education.<br />
<br />
If one is looking for a cybersecurity related education, for example<br />
in EU, 137 courses/programs could be found that relate to keyword IT or<br />
cybersecurity. <ref name="enisa">ENISA (European Union Agency for Cybersecurity), "Cybersecurity Education-Cybersecurity Higher Education Database". Available: https://www.enisa.europa.eu/topics/cybersecurity-education/education-map/education-courses [Accessed 26 April 2022].</ref><br />
<br />
Also, there is a great amount of discussion, if cyber security<br />
professional should have a degree or would be certification just enough.<br />
One interesting table is produces by Franklin University that compares<br />
benefits and/or drawbacks of each type of credential.<ref name="franklin">Franklin University, "Is Getting a Master's Degree in Cyber Security Worth It?". Available: https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it [Accessed 28 April 2022].</ref><br />
<br />
Certifications are generally good for people with little practical<br />
experience because they are known quantities in the industry and can<br />
help you get your foot in the door. They set a minimum knowledge bar.<br />
But some certifications are viewed more favorably than others.<br />
Certifications with renewal requirements are viewed better by hiring<br />
managers, but they also more costly in the long run because of the need<br />
for continuing education. Certifications are also good for showing<br />
in-depth expertise in a specialization within cybersecurity. Depending<br />
on your career goals, it may be advantageous to have a master’s<br />
degree—which shows your breadth of knowledge, critical thinking and<br />
leadership skills—and a certificate—which shows specific skill<br />
competency.<ref name="franklin"></ref><br />
As IT (Cyber) Security is still a relatively young discipline,<br />
universities and colleges are still figuring out which is the best<br />
approach for their degrees. Study programmes and curricula in Cyber<br />
Security are different. In general, here are the duration of Cyber<br />
Security degrees:<br />
<ref name="studyportal">Studyportals, "Why You Should Study a Cyber Security Degree in 2022". Available: https://www.mastersportal.com/articles/2722/why-you-should-study-a-cyber-security-degree-in-2022.html [Accessed 28 April 2022].</ref><br />
<ul><br />
<li><p>Bachelor’s degrees in Cyber Security take 3 or 4 years in most<br />
countries.</p></li><br />
<li><p>Master’s courses in Cyber Security take between 1-2 years to<br />
complete.</p></li><br />
<li><p>PhD programmes in Cyber Security last 3-5 years. Some only take 1<br />
or 2 years, but they are less common.</p><br />
</li><br />
</ul><br />
<br />
Generalization could me made that on bachelor level the general<br />
knowledge about the cyber issues are obtained. On master level the<br />
specialization courses are taken and the person can choose more specific<br />
topics to study. It is on master level where strengths of the cyber<br />
specialist can be developed further and up-do date knowledge obtained in<br />
specifics. PhD is serious science and involves teaching, lot of<br />
scientific work and writing for publications.<br />
<br />
==Salary==<br />
<p>Even if the salary can be very different, compared to the skills and<br />
experience, an generalization can be made. Cyber Security professionals<br />
in CSIRT, and in other entities earn quite well, from the start. First,<br />
some comparison from the United States. The average CSIRT analyst salary<br />
in the USA is $97,500 per year or $50 per hour. Entry level positions<br />
start at $48,875 per year while most experienced workers make up to<br />
$135,373 per year.<ref name="talent">talent.com, "Csirt Analyst average salary in USA 2022". Available: https://www.talent.com/salary?job=csirt+analyst [Accessed 28 April 2022].</ref><br />
<br />
There are multiple positions you can occupy in this field. They have<br />
in common great salaries and high demand for technical skills, attention<br />
to details, problem-solving mentality, and the ability to analyze risks.<br />
Here are the average annual salaries in the United States, according to<br />
Payscale: <ref name="studyportal"></ref><br />
<ul><br />
<li><p>Cryptographer – 100,000 USD</p></li><br />
<li><p>Information Security Officer – 91,000 USD</p></li><br />
<li><p>Security Assessor – 90,000 USD</p></li><br />
<li><p>Security Engineer – 88,000 USD</p></li><br />
<li><p>Penetration Tester – 81,000 USD</p></li><br />
<li><p>Forensics Expert – 71,000 USD</p></li><br />
<li><p>Security Administrator – 65,000 USD</p><br />
</ul><br />
When looking into salaries in Estonia, one can find that there is a<br />
discussion that private sector is taking a toll from the public sector,<br />
and that the salaries in important agencies, as Information System<br />
Authority loose their employees to the better paid positions in private<br />
sector.<ref name="digigeenius">DiGi Geenius, "Kui-palju-riigi-jaoks-olulised-it-tootajad-tegelikult-palka-saavad". Available: https://digi.geenius.ee/rubriik/uudis/kui-palju-riigi-jaoks-olulised-it-tootajad-tegelikult-palka-saavad/ [Accessed 28 April 2022].</ref><br />
<ref name="tehnika">Postimees, "Riigi-it-tootajate-palgamaarad-kasvasid". Available: https://tehnika.postimees.ee/6887428/riigi-it-tootajate-palgamaarad-kasvasid [Accessed 28 April 2022].</ref><br />
But there is also a different view that average private sector worker<br />
could be hired as a top specialist in public sector and then the payment<br />
is higher. Nevertheless, it seems that the average payment in cyber<br />
security sector is any way higher that in other parts of the<br />
e-services. <ref name="digigeenius2">DiGi Geenius, "5000-eurostest-palkadest-it-tootajad-saavadki-palju-palka". Available: https://digi.geenius.ee/rubriik/uudis/5000-eurostest-palkadest-it-tootajad-saavadki-palju-palka [Accessed 28 April 2022].</ref><br />
<br />
==SOC==<br />
<p>A SOC is a facility where an organization’s network, applications,<br />
and endpoints are monitored and defended. The term was adapted from<br />
network operations centers (NOCs), where large telecommunication or<br />
corporate networks are monitored. When network security became more of a<br />
concern, security teams were formed within the NOCs, and eventually spun<br />
off into larger organizations of their own as the responsibilities of<br />
security teams grew increasingly complex and specialized. The security<br />
staff working in a security operations center are often called the SOC<br />
team.<ref name="exabeam">Exabeam, "CSIRT". Available: https://www.exabeam.com/incident-response/csirt/ [Accessed 28 APr 2022].</ref><br />
<br />
<p>Functions of the SOC team include, but are not limited to:<ref name="trellix">Trellix, "What Is a Security Operations Center (SOC)?". Available: https://www.trellix.com/en-us/security-awareness/operations/what-is-soc.html [Accessed 30 APr 2022].</ref></p><br />
<ol type="1"><br />
<li>Taking inventory of resources, to get a better understanding of the<br />
structure they are protecting.</li><br />
<li>Maintanence of the system, by constantly making updates and adding<br />
safeguards.</li><br />
<li>Monitoring the network for abnormalities with special tools.</li><br />
<li>Threat analysis of new attacks and vulnerabilities.</li><br />
<li>Responding to attacks, by acting as “first responders”. The SOC team<br />
will shut down and/or isolate endpoints, deleting files and lowering the<br />
impact as fast as possible.</li><br />
<li>Recovery of system stability and lost data. This may be done using<br />
backups, restarting endpoints or reconfiguring systems.</li><br />
<li>Logging all actions on the system, to be later used for analysis or<br />
forensics after an attack.</li><br />
<li>Investigating the root cause of an attack.</li><br />
<li>Auditing their own actions, to be in line with regulations of the<br />
organization, industry or governing body.</li><br />
</ol><br />
<br />
==CSIRT==<br />
<p>A CSIRT is a group that responds to security incidents when they<br />
occur. Key responsibilities of a CSIRT include: <br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<ul><br />
===Creating and maintaining an incident response plan (IRP)===<br />
An incident response plan (IRP) is a set of written instructions for<br />
detecting, responding to and limiting the effects of an information<br />
security event. Incident response plans provide instructions for<br />
responding to many potential scenarios, including data breaches, denial<br />
of service/distributed denial of service attacks, firewall breaches,<br />
virus or malware outbreaks or insider threats. Without an incident<br />
response plan in place, organizations may either not detect the attack<br />
in the first place, or not follow proper protocol to contain the threat<br />
and recover from it when a breach is detected.<br />
<p>https://www.stratacore.com/incidentresponseplan</p></li><br />
===Investigating and analyzing incidents===<br />
CSIRTs are also involved in improvement activities. After major<br />
computer security incidents occur, or when incidents are not handled in<br />
a timely or effective manner, a CSIRT will generally perform a<br />
postmortem of the incident and its response. This postmortem will<br />
identify the strengths and weakness of the response effort. Such reviews<br />
can identify weaknesses and holes in systems, infrastructure defenses,<br />
or policies that allowed the incident to take place. It can also<br />
identify problems with communication channels, interfaces, and<br />
procedures that inhibited the efficient resolution of the reported<br />
problem.<br />
<p>https://www.cisa.gov/uscert/bsi/articles/best-practices/incident-management/defining-computer-security-incident-response-teams</p><br />
<br />
===Managing internal communications and updates during or immediately after incidents occur===<br />
===Communicating with employees, shareholders, customers, and the press about incidents as needed===<br />
<p>There are various services within the CSIRT Services Framework that<br />
address communications, as they relate to security operations and<br />
incident response services. Some of these include Information Security<br />
Incident Coordination, Crisis Management Support, Vulnerability<br />
Disclosure, Situational Awareness Communication, and Awareness Building,<br />
to name a few. Sharing information and communicating with the general<br />
public and/or your constituency is appropriate in many different<br />
scenarios. These can range from proactive communications to reactive<br />
communications. Each scenario may be unique, and careful consideration<br />
should be given to when to release information to the public and what<br />
information should be released.</p><br />
<br />
<p>https://resources.sei.cmu.edu/asset_files/Handbook/2021_002_001_651819.pdf</p><br />
<br />
===Remediating incidents===<br />
Threat remediation is a strong and capable tool for fighting the<br />
cyber security compromises. As the word ‘remedy’ suggests, remediation<br />
process involves the treatment of a security breach. With the<br />
remediation practices, your cyber security team is able to eliminate<br />
suspicious activities and malicious attacks in the form of malware,<br />
ransomware, phishing and such. Even if you ‘kill’ the suspicious<br />
activity, the attackers can remain in your systems. If you want to<br />
contaminate and end the problem for good, your remediation processes<br />
must involve the detection of the cause. <ref name="logsign">Logsign, "What-is-remediation-in-cyber-security". Available: https://www.logsign.com/blog/what-is-remediation-in-cyber-security/. [Accessed 28 Apr 2022].</ref><br />
<br />
===Recommending technology, policy, governance, and training changes after security incidents===<br />
After all these actions, the SCIRT must contribute to the development<br />
of better policies, practices and has to recommend improvements. They<br />
are not working in the vacuum and their work has to create new and<br />
better standards for cyber security. <ref name="exabeam">Exabeam, "CSIRT". Available: https://www.exabeam.com/incident-response/csirt/ [Accessed 28 APr 2022].</ref><br />
<br />
==CERT==<br />
<p>The term “computer emergency response team” was coined in 1988. In<br />
response to the Morris worm attack that impacted thousands of servers on<br />
the Internet, DARPA funded the formation of the Computer Emergency<br />
Response Team Coordination Center (CERT-CC) at Carnegie Mellon<br />
University. The goal of CERT-CC was to help protect the internet by<br />
collecting and disseminating information on critical security<br />
vulnerabilities. Several other countries formed similar centers using<br />
the same acronym (despite threats of legal action by Carnegie Mellon for<br />
trademark infringement). Now the term CERT refers to any emergency<br />
response team that deals with cyber threats. Many people use CERT-CC<br />
interchangeably with CSIRT, though the charter of a CERT is information<br />
sharing in order to help other response teams respond to threats against<br />
their own infrastructure.</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<p>In general, the designation of CERT is helpful in applying real-world<br />
solutions to various cybersecurity problems. They may be government<br />
contractors or employees of a major corporation. For example, the U.S.<br />
Computer Emergency Readiness Team (US-CERT) operates under the U.S.<br />
Department of Homeland Security.</p><br />
<p>https://www.techopedia.com/definition/31003/computer-emergency-response-team-cert</p><br />
<p>In Estonia CERT is designated as CERT-EE. It was established in 2006,<br />
as an organization responsible for the management of security incidents<br />
in .ee computer networks. It is also a national contact point for<br />
international co-operation in the field of IT security.</p><br />
<p>https://www.ria.ee/en/cyber-security/cert-ee.html</p><br />
===Difference between SOC/CSIRT/CERT===<br />
<p>How CSIRTs differ from CERTs and SOCs There are overlapping<br />
responsibilities between a community emergency response team (CERT),<br />
computer security incident response team (CSIRT), and security<br />
operations center (SOC). To add to this confusion, frequently, the terms<br />
CERT and CSIRT are used interchangeably, despite the important<br />
differences.</p><br />
<figure><br />
<img src="images/image3.png" alt="Overlapping in images/image3.png" /><br />
<figcaption aria-hidden="true">Overlapping in<br />
images/image3.png</figcaption><br />
</figure><br />
==Understand the primary roles and characteristics of a CERT, CSIRT, and SOC.==<br />
<p>So, using strict definitions, a CERT collects and disseminates<br />
security information, typically for the benefit of a country or an<br />
industry. A CSIRT is a cross-functional team that responds to incidents<br />
on behalf of a country or an organization. A SOC is where a country or<br />
organization monitors and defends its network, servers, applications,<br />
and endpoints.</p><br />
<figure><br />
<img src="images/image4.png" alt="table of explanation images/image4" /><br />
<figcaption aria-hidden="true">table of explanation<br />
images/image4</figcaption><br />
</figure><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
==Future==<br />
<p>And the Cyber security problem is only getting bigger. According to a<br />
report published by Accenture, the number of cyber security breaches<br />
increased by 11 percent from 2017 to 2018. The cost of such breaches is<br />
astronomical–about $600 billion worldwide, according to the Economic<br />
Impact of Cybercrime report.</p><br />
<p>https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me</p><br />
<p>Job projections for cybersecurity are staggering. The Bureau of Labor<br />
Statistics in US predicts that careers in the cybersecurity field will<br />
grow by 32% by 2028. That makes cybersecurity one of the top 10<br />
fastest-growing jobs in the country. In the United States alone, jobs<br />
for Information Security Analysts are expected to grow by 15% by<br />
2024.</p><br />
<p>https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</p><br />
<p>Most likely this trend is also similar in other countries.</p><br />
<p>When checking Estonian job portals, there is a constant need for<br />
people for cyber security related positions. Also, linkedin search gives<br />
approximately 30 vacancies immediately. There are banks, logistics<br />
companies, e-shops, and software producers.</p><br />
<p>https://ee.linkedin.com/jobs/cyber-security-jobs?countryRedirected=1&amp;position=1&amp;pageNum=0</p><br />
<p>Trends that affect companies create need for constant cyber security<br />
services. Increasing number of home/remote offices require secure<br />
corporate networks and security of remote devices. One example is from<br />
this year, when sloppy remote desktop set-up paralyzed systems of 17<br />
companies.</p><br />
<p>https://www.aripaev.ee/uudised/2022/04/20/ria-lohakas-kaugtoolaua-seadistus-halvas-martsis-vahemalt-17-juhul-ettevotete-it-susteemid</p><br />
<p>Also, no service can exists without robust infrastructure - servers,<br />
databases, applications. As all previously mentioned devices and<br />
services are at constant scanning and surveillance. So, the breach<br />
detection and immediate action demands 24/7 services. Even if lot of<br />
things could be automated, there is a need for human specialists (at<br />
least, at the moment). Third growing field is also a forensic<br />
investigation, as every attack must be investigated in order to be ready<br />
to repel next attacks. So data recovery and evidence collection is<br />
another important field of work that need skilled and professional<br />
workers.</p><br />
<p>Even, if the specifics of the entity, be it CSIRT, CERT or SOC, are<br />
different, the fundamentals of the work are the same. Professional<br />
knowledge of the networks, operational systems, hardware, scripting, and<br />
several other wider IT related knowledge is needed. As there is no<br />
single way to reach to it, every single person can find one’s strongest<br />
sides and develop them with knowledge of weaker side, in order to know,<br />
when to as for help.</p><br />
<br />
</body><br />
</html></div>Mavaldhttps://wiki.itcollege.ee/index.php?title=Hiring_a_Cyber_Security_Incident_Analyst&diff=142224Hiring a Cyber Security Incident Analyst2022-05-01T15:45:31Z<p>Mavald: /* Salary */</p>
<hr />
<div>==A Cyber Security Incident Analyst==<br />
<br />
[[File:image1.png|600px|thumb|Job advertisement <ref>"Job Advertisement". Available at https://www.projectpeople.com/jobs/</ref>]]<br />
===Cyber security incident analyst in SOC/CSIRT/CERT===<br />
This article delves into the job title of Cyber Security Incident<br />
Analyst and provides an overview of the acronyms SOC/CSIRT/CERT. A brief<br />
history of the job is discussed here, as well as a possible career path,<br />
education, experience, and other characteristics required for work in<br />
computer security-related organizations. The article also provides a<br />
brief history of SOC/CSIRT/CERT, as well as a comparison of their<br />
differences and similarities.<br />
===Cyber Security Incident Analyst Skill Set===<br />
What skill set is expected from the Cyber Security Incident Analyst? Below written lines are taken from the same job advertisement depicted<br />
on the left side of this article:<br />
As a Security Incident Analyst your responsibilities will include:<br />
<ul><br />
<li>Continuous monitoring of security tooling</li><br />
<li>Performing regular and ad-hoc vulnerability assessments</li><br />
<li>Carrying out ‘spot checks’</li><br />
<li>Reporting vulnerabilities to the PVG via the alerts system</li><br />
<li>Maintaining and documenting logging systems</li><br />
<li>Developing centralized logging, reporting and intelligence<br />
platforms</li><br />
<li>‘Light touch’ penetration testing with open source tooling<br />
(Metasploit)</li><br />
</ul><br />
Knowledge &amp; Experience required:<br />
<ul><br />
<li>SOC, CSIRT or CERT operational environment experience</li><br />
<li>Windows / Linux experience</li><br />
<li>TCP /IP networking protocol knowledge</li><br />
<li>Experience reviewing and analyzing Security Events from various<br />
monitoring and logging sources</li><br />
<li>Experience in website and web application security assessment or<br />
penetration testing</li><br />
<li>Experience of using Metasploit</li><br />
<li>Scripting knowledge using BASH, Python, Perl, Ruby</li><br />
<li>Skills in Host and Network Forensics</li><br />
</ul><br />
As one can see the description of the duties is wide and also the<br />
knowledge and experience that is required is noteworthy. So, where to<br />
start to find out the way to get this kind of knowledge and<br />
expertize.<br />
===Possible career path===<br />
Next part of the paper is aiming to depict a possible ways, how to<br />
develop oneself, and move along the career pathway in cybersecurity<br />
field. Topics of development, education, experience and certification<br />
are covered.<br />
[[File:analystimage2.png|1000px|thumb|Career path <ref>"Possible Career Path". Available at https://www.cyberseek.org/pathway.html</ref>]]<br />
<br />
===Junior/Senior===<br />
Start with an entry-level job in IT. Hands-on experience is often the<br />
most effective way to prepare for certification exams. Start<br />
accumulating work experience with an entry-level role as a cybersecurity<br />
analyst. Many cybersecurity professionals start off in more general IT<br />
roles. The skills, practices, and technologies you’ll use as a<br />
cybersecurity professional will continue to evolve along with computer<br />
and network technology. The desire to learn, ability to problem solve,<br />
and attention to detail will serve you well in this field. Other, more<br />
technical skills and technologies to learn include:<ref name="certification">Popular Cyber Security Certificates [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications [Accessed 25 April 2022].</ref><br />
<br />
====SIEM tools (security information and event management)====<br />
Security Information and Event Management (SIEM) is a set of tools<br />
and services offering a holistic view of an organization’s information<br />
security. SIEM works by combining two technologies:<br />
<li>Security information management (SIM), which collects data from log<br />
files for analysis and reports on security threats and events, and</li><br />
<li>security event management (SEM), which conducts real-time system<br />
monitoring, notifies network admins about important issues and<br />
establishes correlations between security events. There are a number of<br />
security information and event management solutions on the market.<br />
ArcSight ESM, IBM QRadar and Splunk are among the most popular. <ref name="SIEM">Application security, SIEM [Online]. Available: https://www.imperva.com/learn/application-security/siem/. [Accessed 27 4 2022].</ref></li><br />
<br />
====Firewalls, Intrusion Detection Systems (IDS), and Intrusion Prevention Systems(IPS)====<br />
Firewalls can be two types, hardware and software firewalls. Software<br />
firewall is a firewall that is installed on a computer or server, and<br />
tasked with network security. It works with a wide variety of other<br />
technology security solutions to provide more robust and cohesive<br />
security for enterprises of all sizes. When a software firewall is<br />
installed on a server, it opens up like an umbrella of protection over<br />
all other computers connected to the network. It is able to monitor both<br />
incoming and outgoing traffic for potential risk or suspicious user<br />
behavior, and also makes setting security policies much easier, faster<br />
and more flexible. Hardware firewall is positioned between the network<br />
and devices, allowing traffic to funnel through the firewall for a close<br />
inspection and analysis. A hardware firewall, a term often<br />
interchangeable with network or next-generation firewall, protects the<br />
network gateways for an enterprise. Hardware firewall is physical<br />
hardware, installed between network elements and connected devices, and<br />
is tasked with filtering traffic for cyber threat to the network or<br />
devices. Filtering out unauthorized or suspicious users based on traffic<br />
analysis is one of the biggest benefits of hardware firewall. <ref name="sangfor">Sangfor, "What is Software Firewall? Difference between Hardware Firewall and Software Firewall, [Online]. Available: https://www.sangfor.com/blog/cybersecurity/what-is-software-firewall-difference-between-hardware-firewall-and-software-firewall [Accessed 26 4 2022].</ref><br />
<br />
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems<br />
(IPS) are both parts of the network infrastructure. IDS/IPS compare<br />
network packets to a cyberthreat database containing known signatures of<br />
cyberattacks — and flag any matching packets. IDS doesn’t alter the<br />
network packets in any way, whereas IPS prevents the packet from<br />
delivery based on the contents of the packet, much like how a firewall<br />
prevents traffic by IP address. <ref name="Varonis">Varonis, "What is Software Firewall? IDS vs. IPS: What is the Difference?, [Online]. Available: https://www.varonis.com/blog/ids-vs-ips [Accessed 26 4 2022].</ref><br />
<br />
====Digital forensics====<br />
Digital forensics is a branch of forensic science that focuses on<br />
identifying, acquiring, processing, analyzing, and reporting on data<br />
stored electronically. Electronic evidence is a component of almost all<br />
criminal activities and digital forensics support is crucial for law<br />
enforcement investigations. Electronic evidence can be collected from a<br />
wide array of sources, such as computers, smartphones, remote storage,<br />
unmanned aerial systems, shipborne equipment, and more.<ref name="interpol">Interpol, "Digital forensics". Available: https://www.interpol.int/How-we-work/Innovation/Digital-forensics. [Accessed 28 4 2022].</ref> <br />
Investigative process of digital forensics can be divided into several stages. There are four major stages: preservation, collection,<br />
examination, and analysis. All these four stages need a deep understanding of computers, technology across a broad spectrum, and cybersecurity principles and<br />
practices, a working knowledge of computers, networks, and coding, in-depth investigative abilities, critical-thinking skills and analytical talent the ability to effectively communicate and work with a<br />
wide range of people. <ref name="ecpi">"Digital forensics". Available: https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me. [Accessed 26 4 2022].</ref><br />
<br />
====Mobile device management====<br />
Mobile device management (MDM) is software that allows IT<br />
administrators to control, secure and enforce policies on smartphones,<br />
tablets and other endpoints. Mobile device management software emerged<br />
in the early 2000s as a way to control and secure the personal digital<br />
assistants and smartphones that business workers began to use. The<br />
consumer smartphone boom that started with the launch of the Apple<br />
iPhone in 2007 led to the bring your own device (BYOD) trend, which<br />
fueled further interest in MDM.<ref name="techtarget">Techtarget, "Mobile Device Management". Available: https://www.techtarget.com/searchmobilecomputing/definition/mobile-device-management [Accessed 27 4 2022].</ref><br />
<br />
====Data management====<br />
Sometimes the data management is neglected, but this part has a<br />
crucial role when learning for good cyber security practices. Majority<br />
of cyber security programs include a special courses on data management.<br />
Data management is a method of organizing and maintaining data processes<br />
that are required in almost every business operations. The benefits of<br />
data management can be found accounting, statistics, logistics planning<br />
and other disciplines including corporate computing.<ref name="GlobalUni">Global Universities, "MSc Data Management and Cyber Security". Available: https://globaluniversities.in/msc-data-management-cyber-security. [Accessed 26 Apr 2022].</ref><br />
Data governance (and management) play a fundamental role in<br />
protecting an organization’s data. Ensuring that the right people have<br />
the right access and that appropriate security controls are in place to<br />
protect each system or service, based on the criticality or sensitivity<br />
of the data sets these contain. <ref name="CyberMagazine">Cyber Security Magazine, "The Role of Data Governance in Cybersecurity". Available: https://cybersecurity-magazine.com/the-role-of-data-governance-in-cybersecurity/?utm_source=rss&amp;utm_medium=rss&amp;utm_campaign=the-role-of-data-governance-in-cybersecurity. [Accessed 26 Apr 2022].</ref><br />
<br />
====Application security development====<br />
Application security describes security measures at the application<br />
level that aim to prevent data or code within the app from being stolen<br />
or hijacked. It encompasses the security considerations that happen<br />
during application development and design, but it also involves systems<br />
and approaches to protect apps after they get deployed. Application<br />
security may include hardware, software, and procedures that identify or<br />
minimize security vulnerabilities.<ref name="vmware">VmWare, "What is application security?". Available: https://www.vmware.com/topics/glossary/content/application-security.html [Accessed 28 April 2022].</ref><br />
Application security development is important to ensure that your<br />
application is free from coding errors and bugs. And controls the risk<br />
and helps safeguard against security vulnerabilities. Application<br />
security development is the process of making applications more secure<br />
by finding and fixing security vulnerabilities. This is often done by<br />
enforcing software security best practices and using application<br />
security testing tools. <br />
<ref name="perforce">Perforce, "Application Security Development Best Practices". Available: https://www.perforce.com/blog/kw/application-security-development-best-practices. [Accessed 28 April 2022].</ref><br />
<br />
====Audit and compliance knowledge====<br />
A cyber security audit is designed to be a comprehensive review and<br />
analysis of your business’s IT infrastructure. It identifies threats and<br />
vulnerabilities, exposing weaknesses and high-risk practices.<br />
Regulations such as the EU GDPR (General Data Protection Regulation) can<br />
impose hefty penalties in the event of a breach that results in<br />
exploited data. A cyber security audit will help mitigate the<br />
consequences of a breach and demonstrate that your organization has<br />
taken the necessary steps to protect client and company data. <ref name="cyforsecure">Cyfor Secure, "What is a Cyber Security Audit and how can it help your organisation?". Available: https://cyforsecure.co.uk/services/cyber-assessment/cyber-security-audit/. [Accessed 28 April 2022].</ref><br />
<br />
Cybersecurity compliance is the organizational risk management method<br />
aligned with pre-defined security measures &amp; controls on how data<br />
confidentiality is ensured by its administrative procedures.<ref name="nordlayer">NordLayer, "Cybersecurity compliance: Everything you need to know". Available: https://nordlayer.com/blog/cybersecurity-compliance-everything-you-need-to-know/. [Accessed 28 April 2022].</ref><br />
All needed skills are developed through courses and certification.<br />
<br />
===Entry-Level Incident Response Positions===<br />
It is not always possible to advance to the position of incident<br />
responder in a straight line. Many professionals advance from entry- to<br />
mid-level positions before becoming a real incident responder or a<br />
member of a computer emergency response team (CERT).<br /><br />
These are some examples: <ref name="Infosec">Infosec, "Incident Responder Career Roadmap: From Entry Level to Executive". Available: https://resources.infosecinstitute.com/topic/incident-responder-career-roadmap-entry-level-executive/ [Accessed 28 April 2022].</ref></p><br />
<ul><br />
<li><h5 id="network-administrator">Network administrator</h5><br />
<p>This position’s experience will help potential incident responders<br />
develop networking skills. Attention to detail, as well as the ability<br />
to sift through system configurations, site layouts, and general network<br />
and communication setups, are essential in this field.</p></li><br />
<li><h5 id="system-administrator">System administrator</h5><br />
<p>Another crucial beginning point for an incident responder is to learn<br />
how to manage resources inside your organization as well as user<br />
behavior. Understanding the potential damage that users, inadequate<br />
security setups, and ineffective IT policies and procedures can cause on<br />
your network can provide prospective candidates with insight into the<br />
human component of an incident.</p></li><br />
<li><h5 id="security-administrator">Security administrator</h5><br />
<p>In such a position, basic hacking skills, penetration testing, and<br />
intrusion detection are all learned, which are crucial incident<br />
responder skills when trying to replicate a breach or attack.<br />
Understanding the paths a cybercriminal will take when attempting to<br />
damage or obtain access to a system can greatly simplify the work of<br />
reverse engineering the incident.</p></li><br />
</ul><br />
<br />
=== Mid-Level Incident Response Positions ===<br />
<ul><br />
<li><h5<br />
id="computer-security-incident-response-team-csirt-engineer">Computer<br />
security incident response team (CSIRT) engineer</h5></li><br />
<li><h5 id="cyber-incident-responder">Cyber incident responder</h5></li><br />
<li><h5 id="incident-response-engineer">Incident response<br />
engineer</h5></li><br />
</ul><br />
<p>While each of these positions is different, they generally require<br />
very similar skills and characteristics in a candidate. At this level,<br />
personal characteristics such as problem solving, time management, and<br />
even presentation skills become more crucial as one’s career evolves<br />
into a management-facing role.</p><br />
<p>Technical skills include the ability to identify and minimize threats<br />
while maintaining communication with management and the rest of your<br />
team. Data analysis and evidence gathering become increasingly crucial,<br />
and the circumstances in which your services are deployed get more<br />
serious.</p><br />
Problem-solving skills are crucial at this level of incident<br />
response, and as the stakes rise, so does the pressure in each<br />
situation. At this level, programming abilities are essential since<br />
incident responders may be needed to reverse engineer malicious code or<br />
even create patches for vulnerable network applications or services. <ref name="coursera">Coursera, "10 Popular Cybersecurity Certifications [2022 Updated]". Available: https://www.coursera.org/articles/popular-cybersecurity-certifications [Accessed 28 April 2022].</ref><br />
<br />
===Senior-Level Incident Response Positions===<br />
<ul><br />
<li><h5 id="intrusion-detection-specialist">Intrusion detection<br />
specialist:</h5></li><br />
</ul><br />
<p>A CISSP certification might help a potential candidate in preparing<br />
for the profession. The role of an intrusion detection specialist is to<br />
find and stop any unwanted communications.</p><br />
<ul><br />
<li><h5 id="incident-manager">Incident manager:</h5></li><br />
</ul><br />
Expected to plan, oversee, manage, and supervise all incident<br />
response team actions. Is in charge of reporting all current events to<br />
senior management and stakeholders, as well as acting as the technical<br />
lead on active incidents for incident responders. Prepares threat and<br />
impact assessments and reports them known to management.<ref name="coursera"></ref><br />
<br />
==Certificates== <br />
There is a vast number of different certificates and the road map to<br />
being a certified professional could be very different<ref name="Coursera">Coursera, "10 Popular Cybersecurity Certifications [2022 Updated]," [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications. [Accessed 30 Apr 2022].</ref><br />
<ref name="NICCS">NICCS, "Cybersecurity Certifications," [Online]. Available: hhttps://niccs.cisa.gov/about-niccs/cybersecurity-certifications. [Accessed 30 Apr 2022].</ref> . One possible<br />
approach is to start with basic certificates from the different branches<br />
of service and move to more specific and demanding focused<br />
certification. Also, some jobs require certain clearances, either from<br />
industry, or from the government. One small selection of different<br />
possible certificates is brought out in following paragraphs.<br />
<br />
Security+ is a CompTIA certification that is considered a basic cert<br />
among cybersecurity professionals. It covers the topics of risk<br />
management and threat assessment.<br />
Network+ is also offered by CompTIA this certification (like the name<br />
implies) focuses on networking infrastructure and operations. It is<br />
considered a foundational certification.<br />
The Certified Information Systems Security Professional (CISSP) is a<br />
more advanced certification designed for cybersecurity professionals<br />
with at least five years of work experience. The certification covers<br />
topics such as architecture, engineering, and management.</p><br />
The Certified Ethical Hacker (CEH) certification is also considered a<br />
more advanced cert because it generally requires that applicants have<br />
multiple years of work experience. The goal of an ethical hacker<br />
certification is to be able to understand how cyber attacks unfold in<br />
order to improve threat assessment and mitigation skills.<ref name="cyberguide">Cybersecurity Guide, "How to become a cybersecurity specialist", [Online]. Available: https://cybersecurityguide.org/careers/security-specialist/. [Accessed 27 April 2022].</ref><br />
This is definitely not all, when one looks for more information, following link could be searched, to get more in depth knowledge about<br />
different possibilities. Hereby, with the help of this matrix a possible taxonomy of different 436 listed certificates in branches are<br />
presented.<ref name="Pauljeremy">"Cybersecurity Roadmap," [Online]. Available: https://pauljerimy.com/2020/10/12/scr-oct-2020-update/. [Accessed 30 Apr 2022].</ref><br />
<br />
[[File:analystimage5.png|1000px|thumb|Certificate matrix <ref>"Certification roadmap". Available at https://pauljerimy.com/security-certification-roadmap</ref>]]<br />
<br />
=== Communication and Network Security===<br />
Communication and network security covers the ability to secure<br />
communication channels and networks. Topics include secure and converges<br />
protocols, wireless networks, cellular networks, hardware operations<br />
(warranty and redundant power), and third-party connectivity. IP<br />
networking are also included in this domain.<br />
===Identity and Access Management===<br />
The identity and access management domain covers the attacks that<br />
target the human gateway to gain access to data. Other topics include<br />
ways to identify users with rights to access the information and<br />
servers. Identity and access management covers the topics of<br />
applications, Single sign-on authentication, privilege escalation,<br />
Kerberos, rule-based or risk-based access control, proofing and<br />
establishment of identity.<br />
===Security Architecture and Engineering===<br />
The security architecture and engineering domain covers important<br />
topics concerning security engineering plans, designs and principles,<br />
Topics include assessing and mitigating information system<br />
vulnerabilities, fundamental concepts of security models and security<br />
architectures in critical areas like access control. Cloud systems,<br />
cryptography, system infiltrations (ransomware, fault-injection and<br />
more) and virtualized systems are also covered in this domain.<br />
===Asset Security===<br />
The Asset Security domain deals with the issues related to the<br />
collection, storage, maintenance, retention and destruction of data. It<br />
also covers knowledge of different roles regarding data handling (owner,<br />
controller and custodian) as well as data protection methods and data<br />
states. Other topics include resource provision, asset classification<br />
and data lifecycle management.<br />
===Security and Risk Management===<br />
The security and risk management domain covers general on skills<br />
related to the implementation of user awareness programs as well as<br />
security procedures. Emphasis is also placed on risk management<br />
concerning the acquisition of new services, hardware and software<br />
(supply chain). Other skills include social engineering defense<br />
mechanisms.<br />
===Security Assessment and Testing===<br />
The security assessment and testing domain deals with all the<br />
techniques and tools used to find system vulnerabilities, weaknesses and<br />
potential areas of concern not addressed by security procedures and<br />
policies. Attack simulations, vulnerability assessment, compliance<br />
checks, and ethical disclosure also fall under this domain.<br />
===Software Security===<br />
The software development security domain deals with implementing<br />
software-based security protocols within environment for which the IT<br />
professional is responsible. Risk analysis, vulnerability identification<br />
and auditing of source codes are all covered in this subset. Additional<br />
topics include software-designed security, maturity models, development<br />
methodologies, open-source and third-party development security.<br />
===Security operations===<br />
The security operations domain covers topics ranging from<br />
investigations and digital forensic to detection and intrusion<br />
prevention tools, sandboxing and firewalls. Topics include user and<br />
entity behavior analytics, threat intelligence (threat hunting and<br />
threat feeds) log management, artifacts (mobile, computer and network),<br />
machine learning and AI-based tools, penetration testing, and<br />
exploitation development. These for sub-domains are lister here.</p><br />
<li>Forensics</li><br />
<li>Incident Handling</li><br />
<li>Penetration Testing</li><br />
<li>Exploitation</li><br />
<br />
==Education==<br />
[[File:Analystimage7.png|400px|thumb|Comparison degree vs Certificate <ref>"Comparison Table". Available at https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</ref>]]<br />
The entry level monitoring specialist is hired by Estonian<br />
Information System Authority even if there is no formal IT education,<br />
but readiness to learn and moderate knowledge of different operation<br />
systems is enough to start the career. <ref name="cv">cv.ee, "SEIRESPETSIALIST - tule Eesti küberruumi valvuriks!". Available: https://www.cv.ee/en/vacancy/792782/riigi-infosusteemi-amet/seirespetsialist-tule-eesti-kuberruumi-valvuriks [Accessed 28 April 2022].</ref><br />
Nevertheless, like most other high qualification careers jobs falling<br />
under the cybersecurity specialist category require some form of formal<br />
education. However, since cybersecurity specialist jobs can fall across<br />
a wide spectrum of job descriptions and responsibilities, it is possible<br />
to obtain a specialist job after completing many levels of different<br />
computer related education.<br />
<br />
If one is looking for a cybersecurity related education, for example<br />
in EU, 137 courses/programs could be found that relate to keyword IT or<br />
cybersecurity. <ref name="enisa">ENISA (European Union Agency for Cybersecurity), "Cybersecurity Education-Cybersecurity Higher Education Database". Available: https://www.enisa.europa.eu/topics/cybersecurity-education/education-map/education-courses [Accessed 26 April 2022].</ref><br />
<br />
Also, there is a great amount of discussion, if cyber security<br />
professional should have a degree or would be certification just enough.<br />
One interesting table is produces by Franklin University that compares<br />
benefits and/or drawbacks of each type of credential.<ref name="franklin">Franklin University, "Is Getting a Master's Degree in Cyber Security Worth It?". Available: https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it [Accessed 28 April 2022].</ref><br />
<br />
Certifications are generally good for people with little practical<br />
experience because they are known quantities in the industry and can<br />
help you get your foot in the door. They set a minimum knowledge bar.<br />
But some certifications are viewed more favorably than others.<br />
Certifications with renewal requirements are viewed better by hiring<br />
managers, but they also more costly in the long run because of the need<br />
for continuing education. Certifications are also good for showing<br />
in-depth expertise in a specialization within cybersecurity. Depending<br />
on your career goals, it may be advantageous to have a master’s<br />
degree—which shows your breadth of knowledge, critical thinking and<br />
leadership skills—and a certificate—which shows specific skill<br />
competency.<ref name="franklin"></ref><br />
As IT (Cyber) Security is still a relatively young discipline,<br />
universities and colleges are still figuring out which is the best<br />
approach for their degrees. Study programmes and curricula in Cyber<br />
Security are different. In general, here are the duration of Cyber<br />
Security degrees:<br />
<ref name="studyportal">Studyportals, "Why You Should Study a Cyber Security Degree in 2022". Available: https://www.mastersportal.com/articles/2722/why-you-should-study-a-cyber-security-degree-in-2022.html [Accessed 28 April 2022].</ref><br />
<ul><br />
<li><p>Bachelor’s degrees in Cyber Security take 3 or 4 years in most<br />
countries.</p></li><br />
<li><p>Master’s courses in Cyber Security take between 1-2 years to<br />
complete.</p></li><br />
<li><p>PhD programmes in Cyber Security last 3-5 years. Some only take 1<br />
or 2 years, but they are less common.</p><br />
</li><br />
</ul><br />
<br />
Generalization could me made that on bachelor level the general<br />
knowledge about the cyber issues are obtained. On master level the<br />
specialization courses are taken and the person can choose more specific<br />
topics to study. It is on master level where strengths of the cyber<br />
specialist can be developed further and up-do date knowledge obtained in<br />
specifics. PhD is serious science and involves teaching, lot of<br />
scientific work and writing for publications.<br />
<br />
==Salary==<br />
<p>Even if the salary can be very different, compared to the skills and<br />
experience, an generalization can be made. Cyber Security professionals<br />
in CSIRT, and in other entities earn quite well, from the start. First,<br />
some comparison from the United States. The average CSIRT analyst salary<br />
in the USA is $97,500 per year or $50 per hour. Entry level positions<br />
start at $48,875 per year while most experienced workers make up to<br />
$135,373 per year.<ref name="talent">talent.com, "Csirt Analyst average salary in USA 2022". Available: https://www.talent.com/salary?job=csirt+analyst [Accessed 28 April 2022].</ref><br />
<br />
There are multiple positions you can occupy in this field. They have<br />
in common great salaries and high demand for technical skills, attention<br />
to details, problem-solving mentality, and the ability to analyze risks.<br />
Here are the average annual salaries in the United States, according to<br />
Payscale: <ref name="studyportal"></ref><br />
<ul><br />
<li><p>Cryptographer – 100,000 USD</p></li><br />
<li><p>Information Security Officer – 91,000 USD</p></li><br />
<li><p>Security Assessor – 90,000 USD</p></li><br />
<li><p>Security Engineer – 88,000 USD</p></li><br />
<li><p>Penetration Tester – 81,000 USD</p></li><br />
<li><p>Forensics Expert – 71,000 USD</p></li><br />
<li><p>Security Administrator – 65,000 USD</p><br />
</ul><br />
When looking into salaries in Estonia, one can find that there is a<br />
discussion that private sector is taking a toll from the public sector,<br />
and that the salaries in important agencies, as Information System<br />
Authority loose their employees to the better paid positions in private<br />
sector.<ref name="digigeenius">DiGi Geenius, "Kui-palju-riigi-jaoks-olulised-it-tootajad-tegelikult-palka-saavad". Available: https://digi.geenius.ee/rubriik/uudis/kui-palju-riigi-jaoks-olulised-it-tootajad-tegelikult-palka-saavad/ [Accessed 28 April 2022].</ref><br />
<ref name="tehnika">Postimees, "Riigi-it-tootajate-palgamaarad-kasvasid". Available: https://tehnika.postimees.ee/6887428/riigi-it-tootajate-palgamaarad-kasvasid [Accessed 28 April 2022].</ref><br />
But there is also a different view that average private sector worker<br />
could be hired as a top specialist in public sector and then the payment<br />
is higher. Nevertheless, it seems that the average payment in cyber<br />
security sector is any way higher that in other parts of the<br />
e-services. <ref name="digigeenius2">DiGi Geenius, "5000-eurostest-palkadest-it-tootajad-saavadki-palju-palka". Available: https://digi.geenius.ee/rubriik/uudis/5000-eurostest-palkadest-it-tootajad-saavadki-palju-palka [Accessed 28 April 2022].</ref><br />
<br />
==SOC==<br />
<p>A SOC is a facility where an organization’s network, applications,<br />
and endpoints are monitored and defended. The term was adapted from<br />
network operations centers (NOCs), where large telecommunication or<br />
corporate networks are monitored. When network security became more of a<br />
concern, security teams were formed within the NOCs, and eventually spun<br />
off into larger organizations of their own as the responsibilities of<br />
security teams grew increasingly complex and specialized. The security<br />
staff working in a security operations center are often called the SOC<br />
team.</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<p>Functions of the SOC team include, but are not limited to:</p><br />
<ol type="1"><br />
<li>Taking inventory of resources, to get a better understanding of the<br />
structure they are protecting.</li><br />
<li>Maintanence of the system, by constantly making updates and adding<br />
safeguards.</li><br />
<li>Monitoring the network for abnormalities with special tools.</li><br />
<li>Threat analysis of new attacks and vulnerabilities.</li><br />
<li>Responding to attacks, by acting as “first responders”. The SOC team<br />
will shut down and/or isolate endpoints, deleting files and lowering the<br />
impact as fast as possible.</li><br />
<li>Recovery of system stability and lost data. This may be done using<br />
backups, restarting endpoints or reconfiguring systems.</li><br />
<li>Logging all actions on the system, to be later used for analysis or<br />
forensics after an attack.</li><br />
<li>Investigating the root cause of an attack.</li><br />
<li>Auditing their own actions, to be in line with regulations of the<br />
organization, industry or governing body.</li><br />
</ol><br />
<p>https://www.trellix.com/en-us/security-awareness/operations/what-is-soc.html</p><br />
==CSIRT==<br />
<p>A CSIRT is a group that responds to security incidents when they<br />
occur. Key responsibilities of a CSIRT include: <br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<ul><br />
===Creating and maintaining an incident response plan (IRP)===<br />
An incident response plan (IRP) is a set of written instructions for<br />
detecting, responding to and limiting the effects of an information<br />
security event. Incident response plans provide instructions for<br />
responding to many potential scenarios, including data breaches, denial<br />
of service/distributed denial of service attacks, firewall breaches,<br />
virus or malware outbreaks or insider threats. Without an incident<br />
response plan in place, organizations may either not detect the attack<br />
in the first place, or not follow proper protocol to contain the threat<br />
and recover from it when a breach is detected.<br />
<p>https://www.stratacore.com/incidentresponseplan</p></li><br />
===Investigating and analyzing incidents===<br />
CSIRTs are also involved in improvement activities. After major<br />
computer security incidents occur, or when incidents are not handled in<br />
a timely or effective manner, a CSIRT will generally perform a<br />
postmortem of the incident and its response. This postmortem will<br />
identify the strengths and weakness of the response effort. Such reviews<br />
can identify weaknesses and holes in systems, infrastructure defenses,<br />
or policies that allowed the incident to take place. It can also<br />
identify problems with communication channels, interfaces, and<br />
procedures that inhibited the efficient resolution of the reported<br />
problem.<br />
<p>https://www.cisa.gov/uscert/bsi/articles/best-practices/incident-management/defining-computer-security-incident-response-teams</p><br />
<br />
===Managing internal communications and updates during or immediately after incidents occur===<br />
===Communicating with employees, shareholders, customers, and the press about incidents as needed===<br />
<p>There are various services within the CSIRT Services Framework that<br />
address communications, as they relate to security operations and<br />
incident response services. Some of these include Information Security<br />
Incident Coordination, Crisis Management Support, Vulnerability<br />
Disclosure, Situational Awareness Communication, and Awareness Building,<br />
to name a few. Sharing information and communicating with the general<br />
public and/or your constituency is appropriate in many different<br />
scenarios. These can range from proactive communications to reactive<br />
communications. Each scenario may be unique, and careful consideration<br />
should be given to when to release information to the public and what<br />
information should be released.</p><br />
<br />
<p>https://resources.sei.cmu.edu/asset_files/Handbook/2021_002_001_651819.pdf</p><br />
<br />
===Remediating incidents===<br />
Threat remediation is a strong and capable tool for fighting the<br />
cyber security compromises. As the word ‘remedy’ suggests, remediation<br />
process involves the treatment of a security breach. With the<br />
remediation practices, your cyber security team is able to eliminate<br />
suspicious activities and malicious attacks in the form of malware,<br />
ransomware, phishing and such. Even if you ‘kill’ the suspicious<br />
activity, the attackers can remain in your systems. If you want to<br />
contaminate and end the problem for good, your remediation processes<br />
must involve the detection of the cause. <ref name="logsign">Logsign, "What-is-remediation-in-cyber-security". Available: https://www.logsign.com/blog/what-is-remediation-in-cyber-security/. [Accessed 28 Apr 2022].</ref><br />
<br />
===Recommending technology, policy, governance, and training changes after security incidents===<br />
After all these actions, the SCIRT must contribute to the development<br />
of better policies, practices and has to recommend improvements. They<br />
are not working in the vacuum and their work has to create new and<br />
better standards for cyber security. <ref name="exabeam">Exabeam, "CSIRT". Available: https://www.exabeam.com/incident-response/csirt/ [Accessed 28 APr 2022].</ref><br />
<br />
==CERT==<br />
<p>The term “computer emergency response team” was coined in 1988. In<br />
response to the Morris worm attack that impacted thousands of servers on<br />
the Internet, DARPA funded the formation of the Computer Emergency<br />
Response Team Coordination Center (CERT-CC) at Carnegie Mellon<br />
University. The goal of CERT-CC was to help protect the internet by<br />
collecting and disseminating information on critical security<br />
vulnerabilities. Several other countries formed similar centers using<br />
the same acronym (despite threats of legal action by Carnegie Mellon for<br />
trademark infringement). Now the term CERT refers to any emergency<br />
response team that deals with cyber threats. Many people use CERT-CC<br />
interchangeably with CSIRT, though the charter of a CERT is information<br />
sharing in order to help other response teams respond to threats against<br />
their own infrastructure.</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<p>In general, the designation of CERT is helpful in applying real-world<br />
solutions to various cybersecurity problems. They may be government<br />
contractors or employees of a major corporation. For example, the U.S.<br />
Computer Emergency Readiness Team (US-CERT) operates under the U.S.<br />
Department of Homeland Security.</p><br />
<p>https://www.techopedia.com/definition/31003/computer-emergency-response-team-cert</p><br />
<p>In Estonia CERT is designated as CERT-EE. It was established in 2006,<br />
as an organization responsible for the management of security incidents<br />
in .ee computer networks. It is also a national contact point for<br />
international co-operation in the field of IT security.</p><br />
<p>https://www.ria.ee/en/cyber-security/cert-ee.html</p><br />
===Difference between SOC/CSIRT/CERT===<br />
<p>How CSIRTs differ from CERTs and SOCs There are overlapping<br />
responsibilities between a community emergency response team (CERT),<br />
computer security incident response team (CSIRT), and security<br />
operations center (SOC). To add to this confusion, frequently, the terms<br />
CERT and CSIRT are used interchangeably, despite the important<br />
differences.</p><br />
<figure><br />
<img src="images/image3.png" alt="Overlapping in images/image3.png" /><br />
<figcaption aria-hidden="true">Overlapping in<br />
images/image3.png</figcaption><br />
</figure><br />
==Understand the primary roles and characteristics of a CERT, CSIRT, and SOC.==<br />
<p>So, using strict definitions, a CERT collects and disseminates<br />
security information, typically for the benefit of a country or an<br />
industry. A CSIRT is a cross-functional team that responds to incidents<br />
on behalf of a country or an organization. A SOC is where a country or<br />
organization monitors and defends its network, servers, applications,<br />
and endpoints.</p><br />
<figure><br />
<img src="images/image4.png" alt="table of explanation images/image4" /><br />
<figcaption aria-hidden="true">table of explanation<br />
images/image4</figcaption><br />
</figure><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
==Future==<br />
<p>And the Cyber security problem is only getting bigger. According to a<br />
report published by Accenture, the number of cyber security breaches<br />
increased by 11 percent from 2017 to 2018. The cost of such breaches is<br />
astronomical–about $600 billion worldwide, according to the Economic<br />
Impact of Cybercrime report.</p><br />
<p>https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me</p><br />
<p>Job projections for cybersecurity are staggering. The Bureau of Labor<br />
Statistics in US predicts that careers in the cybersecurity field will<br />
grow by 32% by 2028. That makes cybersecurity one of the top 10<br />
fastest-growing jobs in the country. In the United States alone, jobs<br />
for Information Security Analysts are expected to grow by 15% by<br />
2024.</p><br />
<p>https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</p><br />
<p>Most likely this trend is also similar in other countries.</p><br />
<p>When checking Estonian job portals, there is a constant need for<br />
people for cyber security related positions. Also, linkedin search gives<br />
approximately 30 vacancies immediately. There are banks, logistics<br />
companies, e-shops, and software producers.</p><br />
<p>https://ee.linkedin.com/jobs/cyber-security-jobs?countryRedirected=1&amp;position=1&amp;pageNum=0</p><br />
<p>Trends that affect companies create need for constant cyber security<br />
services. Increasing number of home/remote offices require secure<br />
corporate networks and security of remote devices. One example is from<br />
this year, when sloppy remote desktop set-up paralyzed systems of 17<br />
companies.</p><br />
<p>https://www.aripaev.ee/uudised/2022/04/20/ria-lohakas-kaugtoolaua-seadistus-halvas-martsis-vahemalt-17-juhul-ettevotete-it-susteemid</p><br />
<p>Also, no service can exists without robust infrastructure - servers,<br />
databases, applications. As all previously mentioned devices and<br />
services are at constant scanning and surveillance. So, the breach<br />
detection and immediate action demands 24/7 services. Even if lot of<br />
things could be automated, there is a need for human specialists (at<br />
least, at the moment). Third growing field is also a forensic<br />
investigation, as every attack must be investigated in order to be ready<br />
to repel next attacks. So data recovery and evidence collection is<br />
another important field of work that need skilled and professional<br />
workers.</p><br />
<p>Even, if the specifics of the entity, be it CSIRT, CERT or SOC, are<br />
different, the fundamentals of the work are the same. Professional<br />
knowledge of the networks, operational systems, hardware, scripting, and<br />
several other wider IT related knowledge is needed. As there is no<br />
single way to reach to it, every single person can find one’s strongest<br />
sides and develop them with knowledge of weaker side, in order to know,<br />
when to as for help.</p><br />
<br />
</body><br />
</html></div>Mavaldhttps://wiki.itcollege.ee/index.php?title=Hiring_a_Cyber_Security_Incident_Analyst&diff=142223Hiring a Cyber Security Incident Analyst2022-05-01T15:43:11Z<p>Mavald: /* Salary */</p>
<hr />
<div>==A Cyber Security Incident Analyst==<br />
<br />
[[File:image1.png|600px|thumb|Job advertisement <ref>"Job Advertisement". Available at https://www.projectpeople.com/jobs/</ref>]]<br />
===Cyber security incident analyst in SOC/CSIRT/CERT===<br />
This article delves into the job title of Cyber Security Incident<br />
Analyst and provides an overview of the acronyms SOC/CSIRT/CERT. A brief<br />
history of the job is discussed here, as well as a possible career path,<br />
education, experience, and other characteristics required for work in<br />
computer security-related organizations. The article also provides a<br />
brief history of SOC/CSIRT/CERT, as well as a comparison of their<br />
differences and similarities.<br />
===Cyber Security Incident Analyst Skill Set===<br />
What skill set is expected from the Cyber Security Incident Analyst? Below written lines are taken from the same job advertisement depicted<br />
on the left side of this article:<br />
As a Security Incident Analyst your responsibilities will include:<br />
<ul><br />
<li>Continuous monitoring of security tooling</li><br />
<li>Performing regular and ad-hoc vulnerability assessments</li><br />
<li>Carrying out ‘spot checks’</li><br />
<li>Reporting vulnerabilities to the PVG via the alerts system</li><br />
<li>Maintaining and documenting logging systems</li><br />
<li>Developing centralized logging, reporting and intelligence<br />
platforms</li><br />
<li>‘Light touch’ penetration testing with open source tooling<br />
(Metasploit)</li><br />
</ul><br />
Knowledge &amp; Experience required:<br />
<ul><br />
<li>SOC, CSIRT or CERT operational environment experience</li><br />
<li>Windows / Linux experience</li><br />
<li>TCP /IP networking protocol knowledge</li><br />
<li>Experience reviewing and analyzing Security Events from various<br />
monitoring and logging sources</li><br />
<li>Experience in website and web application security assessment or<br />
penetration testing</li><br />
<li>Experience of using Metasploit</li><br />
<li>Scripting knowledge using BASH, Python, Perl, Ruby</li><br />
<li>Skills in Host and Network Forensics</li><br />
</ul><br />
As one can see the description of the duties is wide and also the<br />
knowledge and experience that is required is noteworthy. So, where to<br />
start to find out the way to get this kind of knowledge and<br />
expertize.<br />
===Possible career path===<br />
Next part of the paper is aiming to depict a possible ways, how to<br />
develop oneself, and move along the career pathway in cybersecurity<br />
field. Topics of development, education, experience and certification<br />
are covered.<br />
[[File:analystimage2.png|1000px|thumb|Career path <ref>"Possible Career Path". Available at https://www.cyberseek.org/pathway.html</ref>]]<br />
<br />
===Junior/Senior===<br />
Start with an entry-level job in IT. Hands-on experience is often the<br />
most effective way to prepare for certification exams. Start<br />
accumulating work experience with an entry-level role as a cybersecurity<br />
analyst. Many cybersecurity professionals start off in more general IT<br />
roles. The skills, practices, and technologies you’ll use as a<br />
cybersecurity professional will continue to evolve along with computer<br />
and network technology. The desire to learn, ability to problem solve,<br />
and attention to detail will serve you well in this field. Other, more<br />
technical skills and technologies to learn include:<ref name="certification">Popular Cyber Security Certificates [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications [Accessed 25 April 2022].</ref><br />
<br />
====SIEM tools (security information and event management)====<br />
Security Information and Event Management (SIEM) is a set of tools<br />
and services offering a holistic view of an organization’s information<br />
security. SIEM works by combining two technologies:<br />
<li>Security information management (SIM), which collects data from log<br />
files for analysis and reports on security threats and events, and</li><br />
<li>security event management (SEM), which conducts real-time system<br />
monitoring, notifies network admins about important issues and<br />
establishes correlations between security events. There are a number of<br />
security information and event management solutions on the market.<br />
ArcSight ESM, IBM QRadar and Splunk are among the most popular. <ref name="SIEM">Application security, SIEM [Online]. Available: https://www.imperva.com/learn/application-security/siem/. [Accessed 27 4 2022].</ref></li><br />
<br />
====Firewalls, Intrusion Detection Systems (IDS), and Intrusion Prevention Systems(IPS)====<br />
Firewalls can be two types, hardware and software firewalls. Software<br />
firewall is a firewall that is installed on a computer or server, and<br />
tasked with network security. It works with a wide variety of other<br />
technology security solutions to provide more robust and cohesive<br />
security for enterprises of all sizes. When a software firewall is<br />
installed on a server, it opens up like an umbrella of protection over<br />
all other computers connected to the network. It is able to monitor both<br />
incoming and outgoing traffic for potential risk or suspicious user<br />
behavior, and also makes setting security policies much easier, faster<br />
and more flexible. Hardware firewall is positioned between the network<br />
and devices, allowing traffic to funnel through the firewall for a close<br />
inspection and analysis. A hardware firewall, a term often<br />
interchangeable with network or next-generation firewall, protects the<br />
network gateways for an enterprise. Hardware firewall is physical<br />
hardware, installed between network elements and connected devices, and<br />
is tasked with filtering traffic for cyber threat to the network or<br />
devices. Filtering out unauthorized or suspicious users based on traffic<br />
analysis is one of the biggest benefits of hardware firewall. <ref name="sangfor">Sangfor, "What is Software Firewall? Difference between Hardware Firewall and Software Firewall, [Online]. Available: https://www.sangfor.com/blog/cybersecurity/what-is-software-firewall-difference-between-hardware-firewall-and-software-firewall [Accessed 26 4 2022].</ref><br />
<br />
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems<br />
(IPS) are both parts of the network infrastructure. IDS/IPS compare<br />
network packets to a cyberthreat database containing known signatures of<br />
cyberattacks — and flag any matching packets. IDS doesn’t alter the<br />
network packets in any way, whereas IPS prevents the packet from<br />
delivery based on the contents of the packet, much like how a firewall<br />
prevents traffic by IP address. <ref name="Varonis">Varonis, "What is Software Firewall? IDS vs. IPS: What is the Difference?, [Online]. Available: https://www.varonis.com/blog/ids-vs-ips [Accessed 26 4 2022].</ref><br />
<br />
====Digital forensics====<br />
Digital forensics is a branch of forensic science that focuses on<br />
identifying, acquiring, processing, analyzing, and reporting on data<br />
stored electronically. Electronic evidence is a component of almost all<br />
criminal activities and digital forensics support is crucial for law<br />
enforcement investigations. Electronic evidence can be collected from a<br />
wide array of sources, such as computers, smartphones, remote storage,<br />
unmanned aerial systems, shipborne equipment, and more.<ref name="interpol">Interpol, "Digital forensics". Available: https://www.interpol.int/How-we-work/Innovation/Digital-forensics. [Accessed 28 4 2022].</ref> <br />
Investigative process of digital forensics can be divided into several stages. There are four major stages: preservation, collection,<br />
examination, and analysis. All these four stages need a deep understanding of computers, technology across a broad spectrum, and cybersecurity principles and<br />
practices, a working knowledge of computers, networks, and coding, in-depth investigative abilities, critical-thinking skills and analytical talent the ability to effectively communicate and work with a<br />
wide range of people. <ref name="ecpi">"Digital forensics". Available: https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me. [Accessed 26 4 2022].</ref><br />
<br />
====Mobile device management====<br />
Mobile device management (MDM) is software that allows IT<br />
administrators to control, secure and enforce policies on smartphones,<br />
tablets and other endpoints. Mobile device management software emerged<br />
in the early 2000s as a way to control and secure the personal digital<br />
assistants and smartphones that business workers began to use. The<br />
consumer smartphone boom that started with the launch of the Apple<br />
iPhone in 2007 led to the bring your own device (BYOD) trend, which<br />
fueled further interest in MDM.<ref name="techtarget">Techtarget, "Mobile Device Management". Available: https://www.techtarget.com/searchmobilecomputing/definition/mobile-device-management [Accessed 27 4 2022].</ref><br />
<br />
====Data management====<br />
Sometimes the data management is neglected, but this part has a<br />
crucial role when learning for good cyber security practices. Majority<br />
of cyber security programs include a special courses on data management.<br />
Data management is a method of organizing and maintaining data processes<br />
that are required in almost every business operations. The benefits of<br />
data management can be found accounting, statistics, logistics planning<br />
and other disciplines including corporate computing.<ref name="GlobalUni">Global Universities, "MSc Data Management and Cyber Security". Available: https://globaluniversities.in/msc-data-management-cyber-security. [Accessed 26 Apr 2022].</ref><br />
Data governance (and management) play a fundamental role in<br />
protecting an organization’s data. Ensuring that the right people have<br />
the right access and that appropriate security controls are in place to<br />
protect each system or service, based on the criticality or sensitivity<br />
of the data sets these contain. <ref name="CyberMagazine">Cyber Security Magazine, "The Role of Data Governance in Cybersecurity". Available: https://cybersecurity-magazine.com/the-role-of-data-governance-in-cybersecurity/?utm_source=rss&amp;utm_medium=rss&amp;utm_campaign=the-role-of-data-governance-in-cybersecurity. [Accessed 26 Apr 2022].</ref><br />
<br />
====Application security development====<br />
Application security describes security measures at the application<br />
level that aim to prevent data or code within the app from being stolen<br />
or hijacked. It encompasses the security considerations that happen<br />
during application development and design, but it also involves systems<br />
and approaches to protect apps after they get deployed. Application<br />
security may include hardware, software, and procedures that identify or<br />
minimize security vulnerabilities.<ref name="vmware">VmWare, "What is application security?". Available: https://www.vmware.com/topics/glossary/content/application-security.html [Accessed 28 April 2022].</ref><br />
Application security development is important to ensure that your<br />
application is free from coding errors and bugs. And controls the risk<br />
and helps safeguard against security vulnerabilities. Application<br />
security development is the process of making applications more secure<br />
by finding and fixing security vulnerabilities. This is often done by<br />
enforcing software security best practices and using application<br />
security testing tools. <br />
<ref name="perforce">Perforce, "Application Security Development Best Practices". Available: https://www.perforce.com/blog/kw/application-security-development-best-practices. [Accessed 28 April 2022].</ref><br />
<br />
====Audit and compliance knowledge====<br />
A cyber security audit is designed to be a comprehensive review and<br />
analysis of your business’s IT infrastructure. It identifies threats and<br />
vulnerabilities, exposing weaknesses and high-risk practices.<br />
Regulations such as the EU GDPR (General Data Protection Regulation) can<br />
impose hefty penalties in the event of a breach that results in<br />
exploited data. A cyber security audit will help mitigate the<br />
consequences of a breach and demonstrate that your organization has<br />
taken the necessary steps to protect client and company data. <ref name="cyforsecure">Cyfor Secure, "What is a Cyber Security Audit and how can it help your organisation?". Available: https://cyforsecure.co.uk/services/cyber-assessment/cyber-security-audit/. [Accessed 28 April 2022].</ref><br />
<br />
Cybersecurity compliance is the organizational risk management method<br />
aligned with pre-defined security measures &amp; controls on how data<br />
confidentiality is ensured by its administrative procedures.<ref name="nordlayer">NordLayer, "Cybersecurity compliance: Everything you need to know". Available: https://nordlayer.com/blog/cybersecurity-compliance-everything-you-need-to-know/. [Accessed 28 April 2022].</ref><br />
All needed skills are developed through courses and certification.<br />
<br />
===Entry-Level Incident Response Positions===<br />
It is not always possible to advance to the position of incident<br />
responder in a straight line. Many professionals advance from entry- to<br />
mid-level positions before becoming a real incident responder or a<br />
member of a computer emergency response team (CERT).<br /><br />
These are some examples: <ref name="Infosec">Infosec, "Incident Responder Career Roadmap: From Entry Level to Executive". Available: https://resources.infosecinstitute.com/topic/incident-responder-career-roadmap-entry-level-executive/ [Accessed 28 April 2022].</ref></p><br />
<ul><br />
<li><h5 id="network-administrator">Network administrator</h5><br />
<p>This position’s experience will help potential incident responders<br />
develop networking skills. Attention to detail, as well as the ability<br />
to sift through system configurations, site layouts, and general network<br />
and communication setups, are essential in this field.</p></li><br />
<li><h5 id="system-administrator">System administrator</h5><br />
<p>Another crucial beginning point for an incident responder is to learn<br />
how to manage resources inside your organization as well as user<br />
behavior. Understanding the potential damage that users, inadequate<br />
security setups, and ineffective IT policies and procedures can cause on<br />
your network can provide prospective candidates with insight into the<br />
human component of an incident.</p></li><br />
<li><h5 id="security-administrator">Security administrator</h5><br />
<p>In such a position, basic hacking skills, penetration testing, and<br />
intrusion detection are all learned, which are crucial incident<br />
responder skills when trying to replicate a breach or attack.<br />
Understanding the paths a cybercriminal will take when attempting to<br />
damage or obtain access to a system can greatly simplify the work of<br />
reverse engineering the incident.</p></li><br />
</ul><br />
<br />
=== Mid-Level Incident Response Positions ===<br />
<ul><br />
<li><h5<br />
id="computer-security-incident-response-team-csirt-engineer">Computer<br />
security incident response team (CSIRT) engineer</h5></li><br />
<li><h5 id="cyber-incident-responder">Cyber incident responder</h5></li><br />
<li><h5 id="incident-response-engineer">Incident response<br />
engineer</h5></li><br />
</ul><br />
<p>While each of these positions is different, they generally require<br />
very similar skills and characteristics in a candidate. At this level,<br />
personal characteristics such as problem solving, time management, and<br />
even presentation skills become more crucial as one’s career evolves<br />
into a management-facing role.</p><br />
<p>Technical skills include the ability to identify and minimize threats<br />
while maintaining communication with management and the rest of your<br />
team. Data analysis and evidence gathering become increasingly crucial,<br />
and the circumstances in which your services are deployed get more<br />
serious.</p><br />
Problem-solving skills are crucial at this level of incident<br />
response, and as the stakes rise, so does the pressure in each<br />
situation. At this level, programming abilities are essential since<br />
incident responders may be needed to reverse engineer malicious code or<br />
even create patches for vulnerable network applications or services. <ref name="coursera">Coursera, "10 Popular Cybersecurity Certifications [2022 Updated]". Available: https://www.coursera.org/articles/popular-cybersecurity-certifications [Accessed 28 April 2022].</ref><br />
<br />
===Senior-Level Incident Response Positions===<br />
<ul><br />
<li><h5 id="intrusion-detection-specialist">Intrusion detection<br />
specialist:</h5></li><br />
</ul><br />
<p>A CISSP certification might help a potential candidate in preparing<br />
for the profession. The role of an intrusion detection specialist is to<br />
find and stop any unwanted communications.</p><br />
<ul><br />
<li><h5 id="incident-manager">Incident manager:</h5></li><br />
</ul><br />
Expected to plan, oversee, manage, and supervise all incident<br />
response team actions. Is in charge of reporting all current events to<br />
senior management and stakeholders, as well as acting as the technical<br />
lead on active incidents for incident responders. Prepares threat and<br />
impact assessments and reports them known to management.<ref name="coursera"></ref><br />
<br />
==Certificates== <br />
There is a vast number of different certificates and the road map to<br />
being a certified professional could be very different<ref name="Coursera">Coursera, "10 Popular Cybersecurity Certifications [2022 Updated]," [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications. [Accessed 30 Apr 2022].</ref><br />
<ref name="NICCS">NICCS, "Cybersecurity Certifications," [Online]. Available: hhttps://niccs.cisa.gov/about-niccs/cybersecurity-certifications. [Accessed 30 Apr 2022].</ref> . One possible<br />
approach is to start with basic certificates from the different branches<br />
of service and move to more specific and demanding focused<br />
certification. Also, some jobs require certain clearances, either from<br />
industry, or from the government. One small selection of different<br />
possible certificates is brought out in following paragraphs.<br />
<br />
Security+ is a CompTIA certification that is considered a basic cert<br />
among cybersecurity professionals. It covers the topics of risk<br />
management and threat assessment.<br />
Network+ is also offered by CompTIA this certification (like the name<br />
implies) focuses on networking infrastructure and operations. It is<br />
considered a foundational certification.<br />
The Certified Information Systems Security Professional (CISSP) is a<br />
more advanced certification designed for cybersecurity professionals<br />
with at least five years of work experience. The certification covers<br />
topics such as architecture, engineering, and management.</p><br />
The Certified Ethical Hacker (CEH) certification is also considered a<br />
more advanced cert because it generally requires that applicants have<br />
multiple years of work experience. The goal of an ethical hacker<br />
certification is to be able to understand how cyber attacks unfold in<br />
order to improve threat assessment and mitigation skills.<ref name="cyberguide">Cybersecurity Guide, "How to become a cybersecurity specialist", [Online]. Available: https://cybersecurityguide.org/careers/security-specialist/. [Accessed 27 April 2022].</ref><br />
This is definitely not all, when one looks for more information, following link could be searched, to get more in depth knowledge about<br />
different possibilities. Hereby, with the help of this matrix a possible taxonomy of different 436 listed certificates in branches are<br />
presented.<ref name="Pauljeremy">"Cybersecurity Roadmap," [Online]. Available: https://pauljerimy.com/2020/10/12/scr-oct-2020-update/. [Accessed 30 Apr 2022].</ref><br />
<br />
[[File:analystimage5.png|1000px|thumb|Certificate matrix <ref>"Certification roadmap". Available at https://pauljerimy.com/security-certification-roadmap</ref>]]<br />
<br />
=== Communication and Network Security===<br />
Communication and network security covers the ability to secure<br />
communication channels and networks. Topics include secure and converges<br />
protocols, wireless networks, cellular networks, hardware operations<br />
(warranty and redundant power), and third-party connectivity. IP<br />
networking are also included in this domain.<br />
===Identity and Access Management===<br />
The identity and access management domain covers the attacks that<br />
target the human gateway to gain access to data. Other topics include<br />
ways to identify users with rights to access the information and<br />
servers. Identity and access management covers the topics of<br />
applications, Single sign-on authentication, privilege escalation,<br />
Kerberos, rule-based or risk-based access control, proofing and<br />
establishment of identity.<br />
===Security Architecture and Engineering===<br />
The security architecture and engineering domain covers important<br />
topics concerning security engineering plans, designs and principles,<br />
Topics include assessing and mitigating information system<br />
vulnerabilities, fundamental concepts of security models and security<br />
architectures in critical areas like access control. Cloud systems,<br />
cryptography, system infiltrations (ransomware, fault-injection and<br />
more) and virtualized systems are also covered in this domain.<br />
===Asset Security===<br />
The Asset Security domain deals with the issues related to the<br />
collection, storage, maintenance, retention and destruction of data. It<br />
also covers knowledge of different roles regarding data handling (owner,<br />
controller and custodian) as well as data protection methods and data<br />
states. Other topics include resource provision, asset classification<br />
and data lifecycle management.<br />
===Security and Risk Management===<br />
The security and risk management domain covers general on skills<br />
related to the implementation of user awareness programs as well as<br />
security procedures. Emphasis is also placed on risk management<br />
concerning the acquisition of new services, hardware and software<br />
(supply chain). Other skills include social engineering defense<br />
mechanisms.<br />
===Security Assessment and Testing===<br />
The security assessment and testing domain deals with all the<br />
techniques and tools used to find system vulnerabilities, weaknesses and<br />
potential areas of concern not addressed by security procedures and<br />
policies. Attack simulations, vulnerability assessment, compliance<br />
checks, and ethical disclosure also fall under this domain.<br />
===Software Security===<br />
The software development security domain deals with implementing<br />
software-based security protocols within environment for which the IT<br />
professional is responsible. Risk analysis, vulnerability identification<br />
and auditing of source codes are all covered in this subset. Additional<br />
topics include software-designed security, maturity models, development<br />
methodologies, open-source and third-party development security.<br />
===Security operations===<br />
The security operations domain covers topics ranging from<br />
investigations and digital forensic to detection and intrusion<br />
prevention tools, sandboxing and firewalls. Topics include user and<br />
entity behavior analytics, threat intelligence (threat hunting and<br />
threat feeds) log management, artifacts (mobile, computer and network),<br />
machine learning and AI-based tools, penetration testing, and<br />
exploitation development. These for sub-domains are lister here.</p><br />
<li>Forensics</li><br />
<li>Incident Handling</li><br />
<li>Penetration Testing</li><br />
<li>Exploitation</li><br />
<br />
==Education==<br />
[[File:Analystimage7.png|400px|thumb|Comparison degree vs Certificate <ref>"Comparison Table". Available at https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</ref>]]<br />
The entry level monitoring specialist is hired by Estonian<br />
Information System Authority even if there is no formal IT education,<br />
but readiness to learn and moderate knowledge of different operation<br />
systems is enough to start the career. <ref name="cv">cv.ee, "SEIRESPETSIALIST - tule Eesti küberruumi valvuriks!". Available: https://www.cv.ee/en/vacancy/792782/riigi-infosusteemi-amet/seirespetsialist-tule-eesti-kuberruumi-valvuriks [Accessed 28 April 2022].</ref><br />
Nevertheless, like most other high qualification careers jobs falling<br />
under the cybersecurity specialist category require some form of formal<br />
education. However, since cybersecurity specialist jobs can fall across<br />
a wide spectrum of job descriptions and responsibilities, it is possible<br />
to obtain a specialist job after completing many levels of different<br />
computer related education.<br />
<br />
If one is looking for a cybersecurity related education, for example<br />
in EU, 137 courses/programs could be found that relate to keyword IT or<br />
cybersecurity. <ref name="enisa">ENISA (European Union Agency for Cybersecurity), "Cybersecurity Education-Cybersecurity Higher Education Database". Available: https://www.enisa.europa.eu/topics/cybersecurity-education/education-map/education-courses [Accessed 26 April 2022].</ref><br />
<br />
Also, there is a great amount of discussion, if cyber security<br />
professional should have a degree or would be certification just enough.<br />
One interesting table is produces by Franklin University that compares<br />
benefits and/or drawbacks of each type of credential.<ref name="franklin">Franklin University, "Is Getting a Master's Degree in Cyber Security Worth It?". Available: https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it [Accessed 28 April 2022].</ref><br />
<br />
Certifications are generally good for people with little practical<br />
experience because they are known quantities in the industry and can<br />
help you get your foot in the door. They set a minimum knowledge bar.<br />
But some certifications are viewed more favorably than others.<br />
Certifications with renewal requirements are viewed better by hiring<br />
managers, but they also more costly in the long run because of the need<br />
for continuing education. Certifications are also good for showing<br />
in-depth expertise in a specialization within cybersecurity. Depending<br />
on your career goals, it may be advantageous to have a master’s<br />
degree—which shows your breadth of knowledge, critical thinking and<br />
leadership skills—and a certificate—which shows specific skill<br />
competency.<ref name="franklin"></ref><br />
As IT (Cyber) Security is still a relatively young discipline,<br />
universities and colleges are still figuring out which is the best<br />
approach for their degrees. Study programmes and curricula in Cyber<br />
Security are different. In general, here are the duration of Cyber<br />
Security degrees:<br />
<ref name="studyportal">Studyportals, "Why You Should Study a Cyber Security Degree in 2022". Available: https://www.mastersportal.com/articles/2722/why-you-should-study-a-cyber-security-degree-in-2022.html [Accessed 28 April 2022].</ref><br />
<ul><br />
<li><p>Bachelor’s degrees in Cyber Security take 3 or 4 years in most<br />
countries.</p></li><br />
<li><p>Master’s courses in Cyber Security take between 1-2 years to<br />
complete.</p></li><br />
<li><p>PhD programmes in Cyber Security last 3-5 years. Some only take 1<br />
or 2 years, but they are less common.</p><br />
</li><br />
</ul><br />
<br />
Generalization could me made that on bachelor level the general<br />
knowledge about the cyber issues are obtained. On master level the<br />
specialization courses are taken and the person can choose more specific<br />
topics to study. It is on master level where strengths of the cyber<br />
specialist can be developed further and up-do date knowledge obtained in<br />
specifics. PhD is serious science and involves teaching, lot of<br />
scientific work and writing for publications.<br />
<br />
==Salary==<br />
<p>Even if the salary can be very different, compared to the skills and<br />
experience, an generalization can be made. Cyber Security professionals<br />
in CSIRT, and in other entities earn quite well, from the start. First,<br />
some comparison from the United States. The average CSIRT analyst salary<br />
in the USA is $97,500 per year or $50 per hour. Entry level positions<br />
start at $48,875 per year while most experienced workers make up to<br />
$135,373 per year.</p><br />
<p>https://www.talent.com/salary?job=csirt+analyst</p><br />
<p>There are multiple positions you can occupy in this field. They have<br />
in common great salaries and high demand for technical skills, attention<br />
to details, problem-solving mentality, and the ability to analyze risks.<br />
Here are the average annual salaries in the United States, according to<br />
Payscale: <ref name="studyportal"></ref></p><br />
<ul><br />
<li><p>Cryptographer – 100,000 USD</p></li><br />
<li><p>Information Security Officer – 91,000 USD</p></li><br />
<li><p>Security Assessor – 90,000 USD</p></li><br />
<li><p>Security Engineer – 88,000 USD</p></li><br />
<li><p>Penetration Tester – 81,000 USD</p></li><br />
<li><p>Forensics Expert – 71,000 USD</p></li><br />
<li><p>Security Administrator – 65,000 USD</p><br />
<br />
When looking into salaries in Estonia, one can find that there is a<br />
discussion that private sector is taking a toll from the public sector,<br />
and that the salaries in important agencies, as Information System<br />
Authority loose their employees to the better paid positions in private<br />
sector.<ref name="digigeenius">DiGi Geenius, "Kui-palju-riigi-jaoks-olulised-it-tootajad-tegelikult-palka-saavad". Available: https://digi.geenius.ee/rubriik/uudis/kui-palju-riigi-jaoks-olulised-it-tootajad-tegelikult-palka-saavad/ [Accessed 28 April 2022].</ref><br />
<ref name="tehnika">Postimees, "Riigi-it-tootajate-palgamaarad-kasvasid". Available: https://tehnika.postimees.ee/6887428/riigi-it-tootajate-palgamaarad-kasvasid [Accessed 28 April 2022].</ref><br />
But there is also a different view that average private sector worker<br />
could be hired as a top specialist in public sector and then the payment<br />
is higher. Nevertheless, it seems that the average payment in cyber<br />
security sector is any way higher that in other parts of the<br />
e-services. <ref name="digigeenius2">DiGi Geenius, "5000-eurostest-palkadest-it-tootajad-saavadki-palju-palka". Available: https://digi.geenius.ee/rubriik/uudis/5000-eurostest-palkadest-it-tootajad-saavadki-palju-palka [Accessed 28 April 2022].</ref><br />
<br />
==SOC==<br />
<p>A SOC is a facility where an organization’s network, applications,<br />
and endpoints are monitored and defended. The term was adapted from<br />
network operations centers (NOCs), where large telecommunication or<br />
corporate networks are monitored. When network security became more of a<br />
concern, security teams were formed within the NOCs, and eventually spun<br />
off into larger organizations of their own as the responsibilities of<br />
security teams grew increasingly complex and specialized. The security<br />
staff working in a security operations center are often called the SOC<br />
team.</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<p>Functions of the SOC team include, but are not limited to:</p><br />
<ol type="1"><br />
<li>Taking inventory of resources, to get a better understanding of the<br />
structure they are protecting.</li><br />
<li>Maintanence of the system, by constantly making updates and adding<br />
safeguards.</li><br />
<li>Monitoring the network for abnormalities with special tools.</li><br />
<li>Threat analysis of new attacks and vulnerabilities.</li><br />
<li>Responding to attacks, by acting as “first responders”. The SOC team<br />
will shut down and/or isolate endpoints, deleting files and lowering the<br />
impact as fast as possible.</li><br />
<li>Recovery of system stability and lost data. This may be done using<br />
backups, restarting endpoints or reconfiguring systems.</li><br />
<li>Logging all actions on the system, to be later used for analysis or<br />
forensics after an attack.</li><br />
<li>Investigating the root cause of an attack.</li><br />
<li>Auditing their own actions, to be in line with regulations of the<br />
organization, industry or governing body.</li><br />
</ol><br />
<p>https://www.trellix.com/en-us/security-awareness/operations/what-is-soc.html</p><br />
==CSIRT==<br />
<p>A CSIRT is a group that responds to security incidents when they<br />
occur. Key responsibilities of a CSIRT include: <br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<ul><br />
===Creating and maintaining an incident response plan (IRP)===<br />
An incident response plan (IRP) is a set of written instructions for<br />
detecting, responding to and limiting the effects of an information<br />
security event. Incident response plans provide instructions for<br />
responding to many potential scenarios, including data breaches, denial<br />
of service/distributed denial of service attacks, firewall breaches,<br />
virus or malware outbreaks or insider threats. Without an incident<br />
response plan in place, organizations may either not detect the attack<br />
in the first place, or not follow proper protocol to contain the threat<br />
and recover from it when a breach is detected.<br />
<p>https://www.stratacore.com/incidentresponseplan</p></li><br />
===Investigating and analyzing incidents===<br />
CSIRTs are also involved in improvement activities. After major<br />
computer security incidents occur, or when incidents are not handled in<br />
a timely or effective manner, a CSIRT will generally perform a<br />
postmortem of the incident and its response. This postmortem will<br />
identify the strengths and weakness of the response effort. Such reviews<br />
can identify weaknesses and holes in systems, infrastructure defenses,<br />
or policies that allowed the incident to take place. It can also<br />
identify problems with communication channels, interfaces, and<br />
procedures that inhibited the efficient resolution of the reported<br />
problem.<br />
<p>https://www.cisa.gov/uscert/bsi/articles/best-practices/incident-management/defining-computer-security-incident-response-teams</p><br />
<br />
===Managing internal communications and updates during or immediately after incidents occur===<br />
===Communicating with employees, shareholders, customers, and the press about incidents as needed===<br />
<p>There are various services within the CSIRT Services Framework that<br />
address communications, as they relate to security operations and<br />
incident response services. Some of these include Information Security<br />
Incident Coordination, Crisis Management Support, Vulnerability<br />
Disclosure, Situational Awareness Communication, and Awareness Building,<br />
to name a few. Sharing information and communicating with the general<br />
public and/or your constituency is appropriate in many different<br />
scenarios. These can range from proactive communications to reactive<br />
communications. Each scenario may be unique, and careful consideration<br />
should be given to when to release information to the public and what<br />
information should be released.</p><br />
<br />
<p>https://resources.sei.cmu.edu/asset_files/Handbook/2021_002_001_651819.pdf</p><br />
<br />
===Remediating incidents===<br />
Threat remediation is a strong and capable tool for fighting the<br />
cyber security compromises. As the word ‘remedy’ suggests, remediation<br />
process involves the treatment of a security breach. With the<br />
remediation practices, your cyber security team is able to eliminate<br />
suspicious activities and malicious attacks in the form of malware,<br />
ransomware, phishing and such. Even if you ‘kill’ the suspicious<br />
activity, the attackers can remain in your systems. If you want to<br />
contaminate and end the problem for good, your remediation processes<br />
must involve the detection of the cause. <ref name="logsign">Logsign, "What-is-remediation-in-cyber-security". Available: https://www.logsign.com/blog/what-is-remediation-in-cyber-security/. [Accessed 28 Apr 2022].</ref><br />
<br />
===Recommending technology, policy, governance, and training changes after security incidents===<br />
After all these actions, the SCIRT must contribute to the development<br />
of better policies, practices and has to recommend improvements. They<br />
are not working in the vacuum and their work has to create new and<br />
better standards for cyber security. <ref name="exabeam">Exabeam, "CSIRT". Available: https://www.exabeam.com/incident-response/csirt/ [Accessed 28 APr 2022].</ref><br />
<br />
==CERT==<br />
<p>The term “computer emergency response team” was coined in 1988. In<br />
response to the Morris worm attack that impacted thousands of servers on<br />
the Internet, DARPA funded the formation of the Computer Emergency<br />
Response Team Coordination Center (CERT-CC) at Carnegie Mellon<br />
University. The goal of CERT-CC was to help protect the internet by<br />
collecting and disseminating information on critical security<br />
vulnerabilities. Several other countries formed similar centers using<br />
the same acronym (despite threats of legal action by Carnegie Mellon for<br />
trademark infringement). Now the term CERT refers to any emergency<br />
response team that deals with cyber threats. Many people use CERT-CC<br />
interchangeably with CSIRT, though the charter of a CERT is information<br />
sharing in order to help other response teams respond to threats against<br />
their own infrastructure.</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<p>In general, the designation of CERT is helpful in applying real-world<br />
solutions to various cybersecurity problems. They may be government<br />
contractors or employees of a major corporation. For example, the U.S.<br />
Computer Emergency Readiness Team (US-CERT) operates under the U.S.<br />
Department of Homeland Security.</p><br />
<p>https://www.techopedia.com/definition/31003/computer-emergency-response-team-cert</p><br />
<p>In Estonia CERT is designated as CERT-EE. It was established in 2006,<br />
as an organization responsible for the management of security incidents<br />
in .ee computer networks. It is also a national contact point for<br />
international co-operation in the field of IT security.</p><br />
<p>https://www.ria.ee/en/cyber-security/cert-ee.html</p><br />
===Difference between SOC/CSIRT/CERT===<br />
<p>How CSIRTs differ from CERTs and SOCs There are overlapping<br />
responsibilities between a community emergency response team (CERT),<br />
computer security incident response team (CSIRT), and security<br />
operations center (SOC). To add to this confusion, frequently, the terms<br />
CERT and CSIRT are used interchangeably, despite the important<br />
differences.</p><br />
<figure><br />
<img src="images/image3.png" alt="Overlapping in images/image3.png" /><br />
<figcaption aria-hidden="true">Overlapping in<br />
images/image3.png</figcaption><br />
</figure><br />
==Understand the primary roles and characteristics of a CERT, CSIRT, and SOC.==<br />
<p>So, using strict definitions, a CERT collects and disseminates<br />
security information, typically for the benefit of a country or an<br />
industry. A CSIRT is a cross-functional team that responds to incidents<br />
on behalf of a country or an organization. A SOC is where a country or<br />
organization monitors and defends its network, servers, applications,<br />
and endpoints.</p><br />
<figure><br />
<img src="images/image4.png" alt="table of explanation images/image4" /><br />
<figcaption aria-hidden="true">table of explanation<br />
images/image4</figcaption><br />
</figure><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
==Future==<br />
<p>And the Cyber security problem is only getting bigger. According to a<br />
report published by Accenture, the number of cyber security breaches<br />
increased by 11 percent from 2017 to 2018. The cost of such breaches is<br />
astronomical–about $600 billion worldwide, according to the Economic<br />
Impact of Cybercrime report.</p><br />
<p>https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me</p><br />
<p>Job projections for cybersecurity are staggering. The Bureau of Labor<br />
Statistics in US predicts that careers in the cybersecurity field will<br />
grow by 32% by 2028. That makes cybersecurity one of the top 10<br />
fastest-growing jobs in the country. In the United States alone, jobs<br />
for Information Security Analysts are expected to grow by 15% by<br />
2024.</p><br />
<p>https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</p><br />
<p>Most likely this trend is also similar in other countries.</p><br />
<p>When checking Estonian job portals, there is a constant need for<br />
people for cyber security related positions. Also, linkedin search gives<br />
approximately 30 vacancies immediately. There are banks, logistics<br />
companies, e-shops, and software producers.</p><br />
<p>https://ee.linkedin.com/jobs/cyber-security-jobs?countryRedirected=1&amp;position=1&amp;pageNum=0</p><br />
<p>Trends that affect companies create need for constant cyber security<br />
services. Increasing number of home/remote offices require secure<br />
corporate networks and security of remote devices. One example is from<br />
this year, when sloppy remote desktop set-up paralyzed systems of 17<br />
companies.</p><br />
<p>https://www.aripaev.ee/uudised/2022/04/20/ria-lohakas-kaugtoolaua-seadistus-halvas-martsis-vahemalt-17-juhul-ettevotete-it-susteemid</p><br />
<p>Also, no service can exists without robust infrastructure - servers,<br />
databases, applications. As all previously mentioned devices and<br />
services are at constant scanning and surveillance. So, the breach<br />
detection and immediate action demands 24/7 services. Even if lot of<br />
things could be automated, there is a need for human specialists (at<br />
least, at the moment). Third growing field is also a forensic<br />
investigation, as every attack must be investigated in order to be ready<br />
to repel next attacks. So data recovery and evidence collection is<br />
another important field of work that need skilled and professional<br />
workers.</p><br />
<p>Even, if the specifics of the entity, be it CSIRT, CERT or SOC, are<br />
different, the fundamentals of the work are the same. Professional<br />
knowledge of the networks, operational systems, hardware, scripting, and<br />
several other wider IT related knowledge is needed. As there is no<br />
single way to reach to it, every single person can find one’s strongest<br />
sides and develop them with knowledge of weaker side, in order to know,<br />
when to as for help.</p><br />
<br />
</body><br />
</html></div>Mavaldhttps://wiki.itcollege.ee/index.php?title=Hiring_a_Cyber_Security_Incident_Analyst&diff=142215Hiring a Cyber Security Incident Analyst2022-05-01T15:37:32Z<p>Mavald: /* Education */</p>
<hr />
<div>==A Cyber Security Incident Analyst==<br />
<br />
[[File:image1.png|600px|thumb|Job advertisement <ref>"Job Advertisement". Available at https://www.projectpeople.com/jobs/</ref>]]<br />
===Cyber security incident analyst in SOC/CSIRT/CERT===<br />
This article delves into the job title of Cyber Security Incident<br />
Analyst and provides an overview of the acronyms SOC/CSIRT/CERT. A brief<br />
history of the job is discussed here, as well as a possible career path,<br />
education, experience, and other characteristics required for work in<br />
computer security-related organizations. The article also provides a<br />
brief history of SOC/CSIRT/CERT, as well as a comparison of their<br />
differences and similarities.<br />
===Cyber Security Incident Analyst Skill Set===<br />
What skill set is expected from the Cyber Security Incident Analyst? Below written lines are taken from the same job advertisement depicted<br />
on the left side of this article:<br />
As a Security Incident Analyst your responsibilities will include:<br />
<ul><br />
<li>Continuous monitoring of security tooling</li><br />
<li>Performing regular and ad-hoc vulnerability assessments</li><br />
<li>Carrying out ‘spot checks’</li><br />
<li>Reporting vulnerabilities to the PVG via the alerts system</li><br />
<li>Maintaining and documenting logging systems</li><br />
<li>Developing centralized logging, reporting and intelligence<br />
platforms</li><br />
<li>‘Light touch’ penetration testing with open source tooling<br />
(Metasploit)</li><br />
</ul><br />
Knowledge &amp; Experience required:<br />
<ul><br />
<li>SOC, CSIRT or CERT operational environment experience</li><br />
<li>Windows / Linux experience</li><br />
<li>TCP /IP networking protocol knowledge</li><br />
<li>Experience reviewing and analyzing Security Events from various<br />
monitoring and logging sources</li><br />
<li>Experience in website and web application security assessment or<br />
penetration testing</li><br />
<li>Experience of using Metasploit</li><br />
<li>Scripting knowledge using BASH, Python, Perl, Ruby</li><br />
<li>Skills in Host and Network Forensics</li><br />
</ul><br />
As one can see the description of the duties is wide and also the<br />
knowledge and experience that is required is noteworthy. So, where to<br />
start to find out the way to get this kind of knowledge and<br />
expertize.<br />
===Possible career path===<br />
Next part of the paper is aiming to depict a possible ways, how to<br />
develop oneself, and move along the career pathway in cybersecurity<br />
field. Topics of development, education, experience and certification<br />
are covered.<br />
[[File:analystimage2.png|1000px|thumb|Career path <ref>"Possible Career Path". Available at https://www.cyberseek.org/pathway.html</ref>]]<br />
<br />
===Junior/Senior===<br />
Start with an entry-level job in IT. Hands-on experience is often the<br />
most effective way to prepare for certification exams. Start<br />
accumulating work experience with an entry-level role as a cybersecurity<br />
analyst. Many cybersecurity professionals start off in more general IT<br />
roles. The skills, practices, and technologies you’ll use as a<br />
cybersecurity professional will continue to evolve along with computer<br />
and network technology. The desire to learn, ability to problem solve,<br />
and attention to detail will serve you well in this field. Other, more<br />
technical skills and technologies to learn include:<ref name="certification">Popular Cyber Security Certificates [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications [Accessed 25 April 2022].</ref><br />
<br />
====SIEM tools (security information and event management)====<br />
Security Information and Event Management (SIEM) is a set of tools<br />
and services offering a holistic view of an organization’s information<br />
security. SIEM works by combining two technologies:<br />
<li>Security information management (SIM), which collects data from log<br />
files for analysis and reports on security threats and events, and</li><br />
<li>security event management (SEM), which conducts real-time system<br />
monitoring, notifies network admins about important issues and<br />
establishes correlations between security events. There are a number of<br />
security information and event management solutions on the market.<br />
ArcSight ESM, IBM QRadar and Splunk are among the most popular. <ref name="SIEM">Application security, SIEM [Online]. Available: https://www.imperva.com/learn/application-security/siem/. [Accessed 27 4 2022].</ref></li><br />
<br />
====Firewalls, Intrusion Detection Systems (IDS), and Intrusion Prevention Systems(IPS)====<br />
Firewalls can be two types, hardware and software firewalls. Software<br />
firewall is a firewall that is installed on a computer or server, and<br />
tasked with network security. It works with a wide variety of other<br />
technology security solutions to provide more robust and cohesive<br />
security for enterprises of all sizes. When a software firewall is<br />
installed on a server, it opens up like an umbrella of protection over<br />
all other computers connected to the network. It is able to monitor both<br />
incoming and outgoing traffic for potential risk or suspicious user<br />
behavior, and also makes setting security policies much easier, faster<br />
and more flexible. Hardware firewall is positioned between the network<br />
and devices, allowing traffic to funnel through the firewall for a close<br />
inspection and analysis. A hardware firewall, a term often<br />
interchangeable with network or next-generation firewall, protects the<br />
network gateways for an enterprise. Hardware firewall is physical<br />
hardware, installed between network elements and connected devices, and<br />
is tasked with filtering traffic for cyber threat to the network or<br />
devices. Filtering out unauthorized or suspicious users based on traffic<br />
analysis is one of the biggest benefits of hardware firewall. <ref name="sangfor">Sangfor, "What is Software Firewall? Difference between Hardware Firewall and Software Firewall, [Online]. Available: https://www.sangfor.com/blog/cybersecurity/what-is-software-firewall-difference-between-hardware-firewall-and-software-firewall [Accessed 26 4 2022].</ref><br />
<br />
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems<br />
(IPS) are both parts of the network infrastructure. IDS/IPS compare<br />
network packets to a cyberthreat database containing known signatures of<br />
cyberattacks — and flag any matching packets. IDS doesn’t alter the<br />
network packets in any way, whereas IPS prevents the packet from<br />
delivery based on the contents of the packet, much like how a firewall<br />
prevents traffic by IP address. <ref name="Varonis">Varonis, "What is Software Firewall? IDS vs. IPS: What is the Difference?, [Online]. Available: https://www.varonis.com/blog/ids-vs-ips [Accessed 26 4 2022].</ref><br />
<br />
====Digital forensics====<br />
Digital forensics is a branch of forensic science that focuses on<br />
identifying, acquiring, processing, analyzing, and reporting on data<br />
stored electronically. Electronic evidence is a component of almost all<br />
criminal activities and digital forensics support is crucial for law<br />
enforcement investigations. Electronic evidence can be collected from a<br />
wide array of sources, such as computers, smartphones, remote storage,<br />
unmanned aerial systems, shipborne equipment, and more.<ref name="interpol">Interpol, "Digital forensics". Available: https://www.interpol.int/How-we-work/Innovation/Digital-forensics. [Accessed 28 4 2022].</ref> <br />
Investigative process of digital forensics can be divided into several stages. There are four major stages: preservation, collection,<br />
examination, and analysis. All these four stages need a deep understanding of computers, technology across a broad spectrum, and cybersecurity principles and<br />
practices, a working knowledge of computers, networks, and coding, in-depth investigative abilities, critical-thinking skills and analytical talent the ability to effectively communicate and work with a<br />
wide range of people. <ref name="ecpi">"Digital forensics". Available: https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me. [Accessed 26 4 2022].</ref><br />
<br />
====Mobile device management====<br />
Mobile device management (MDM) is software that allows IT<br />
administrators to control, secure and enforce policies on smartphones,<br />
tablets and other endpoints. Mobile device management software emerged<br />
in the early 2000s as a way to control and secure the personal digital<br />
assistants and smartphones that business workers began to use. The<br />
consumer smartphone boom that started with the launch of the Apple<br />
iPhone in 2007 led to the bring your own device (BYOD) trend, which<br />
fueled further interest in MDM.<ref name="techtarget">Techtarget, "Mobile Device Management". Available: https://www.techtarget.com/searchmobilecomputing/definition/mobile-device-management [Accessed 27 4 2022].</ref><br />
<br />
====Data management====<br />
Sometimes the data management is neglected, but this part has a<br />
crucial role when learning for good cyber security practices. Majority<br />
of cyber security programs include a special courses on data management.<br />
Data management is a method of organizing and maintaining data processes<br />
that are required in almost every business operations. The benefits of<br />
data management can be found accounting, statistics, logistics planning<br />
and other disciplines including corporate computing.<ref name="GlobalUni">Global Universities, "MSc Data Management and Cyber Security". Available: https://globaluniversities.in/msc-data-management-cyber-security. [Accessed 26 Apr 2022].</ref><br />
Data governance (and management) play a fundamental role in<br />
protecting an organization’s data. Ensuring that the right people have<br />
the right access and that appropriate security controls are in place to<br />
protect each system or service, based on the criticality or sensitivity<br />
of the data sets these contain. <ref name="CyberMagazine">Cyber Security Magazine, "The Role of Data Governance in Cybersecurity". Available: https://cybersecurity-magazine.com/the-role-of-data-governance-in-cybersecurity/?utm_source=rss&amp;utm_medium=rss&amp;utm_campaign=the-role-of-data-governance-in-cybersecurity. [Accessed 26 Apr 2022].</ref><br />
<br />
====Application security development====<br />
Application security describes security measures at the application<br />
level that aim to prevent data or code within the app from being stolen<br />
or hijacked. It encompasses the security considerations that happen<br />
during application development and design, but it also involves systems<br />
and approaches to protect apps after they get deployed. Application<br />
security may include hardware, software, and procedures that identify or<br />
minimize security vulnerabilities.<ref name="vmware">VmWare, "What is application security?". Available: https://www.vmware.com/topics/glossary/content/application-security.html [Accessed 28 April 2022].</ref><br />
Application security development is important to ensure that your<br />
application is free from coding errors and bugs. And controls the risk<br />
and helps safeguard against security vulnerabilities. Application<br />
security development is the process of making applications more secure<br />
by finding and fixing security vulnerabilities. This is often done by<br />
enforcing software security best practices and using application<br />
security testing tools. <br />
<ref name="perforce">Perforce, "Application Security Development Best Practices". Available: https://www.perforce.com/blog/kw/application-security-development-best-practices. [Accessed 28 April 2022].</ref><br />
<br />
====Audit and compliance knowledge====<br />
A cyber security audit is designed to be a comprehensive review and<br />
analysis of your business’s IT infrastructure. It identifies threats and<br />
vulnerabilities, exposing weaknesses and high-risk practices.<br />
Regulations such as the EU GDPR (General Data Protection Regulation) can<br />
impose hefty penalties in the event of a breach that results in<br />
exploited data. A cyber security audit will help mitigate the<br />
consequences of a breach and demonstrate that your organization has<br />
taken the necessary steps to protect client and company data. <ref name="cyforsecure">Cyfor Secure, "What is a Cyber Security Audit and how can it help your organisation?". Available: https://cyforsecure.co.uk/services/cyber-assessment/cyber-security-audit/. [Accessed 28 April 2022].</ref><br />
<br />
Cybersecurity compliance is the organizational risk management method<br />
aligned with pre-defined security measures &amp; controls on how data<br />
confidentiality is ensured by its administrative procedures.<ref name="nordlayer">NordLayer, "Cybersecurity compliance: Everything you need to know". Available: https://nordlayer.com/blog/cybersecurity-compliance-everything-you-need-to-know/. [Accessed 28 April 2022].</ref><br />
All needed skills are developed through courses and certification.<br />
<br />
===Entry-Level Incident Response Positions===<br />
It is not always possible to advance to the position of incident<br />
responder in a straight line. Many professionals advance from entry- to<br />
mid-level positions before becoming a real incident responder or a<br />
member of a computer emergency response team (CERT).<br /><br />
These are some examples: <ref name="Infosec">Infosec, "Incident Responder Career Roadmap: From Entry Level to Executive". Available: https://resources.infosecinstitute.com/topic/incident-responder-career-roadmap-entry-level-executive/ [Accessed 28 April 2022].</ref></p><br />
<ul><br />
<li><h5 id="network-administrator">Network administrator</h5><br />
<p>This position’s experience will help potential incident responders<br />
develop networking skills. Attention to detail, as well as the ability<br />
to sift through system configurations, site layouts, and general network<br />
and communication setups, are essential in this field.</p></li><br />
<li><h5 id="system-administrator">System administrator</h5><br />
<p>Another crucial beginning point for an incident responder is to learn<br />
how to manage resources inside your organization as well as user<br />
behavior. Understanding the potential damage that users, inadequate<br />
security setups, and ineffective IT policies and procedures can cause on<br />
your network can provide prospective candidates with insight into the<br />
human component of an incident.</p></li><br />
<li><h5 id="security-administrator">Security administrator</h5><br />
<p>In such a position, basic hacking skills, penetration testing, and<br />
intrusion detection are all learned, which are crucial incident<br />
responder skills when trying to replicate a breach or attack.<br />
Understanding the paths a cybercriminal will take when attempting to<br />
damage or obtain access to a system can greatly simplify the work of<br />
reverse engineering the incident.</p></li><br />
</ul><br />
<br />
=== Mid-Level Incident Response Positions ===<br />
<ul><br />
<li><h5<br />
id="computer-security-incident-response-team-csirt-engineer">Computer<br />
security incident response team (CSIRT) engineer</h5></li><br />
<li><h5 id="cyber-incident-responder">Cyber incident responder</h5></li><br />
<li><h5 id="incident-response-engineer">Incident response<br />
engineer</h5></li><br />
</ul><br />
<p>While each of these positions is different, they generally require<br />
very similar skills and characteristics in a candidate. At this level,<br />
personal characteristics such as problem solving, time management, and<br />
even presentation skills become more crucial as one’s career evolves<br />
into a management-facing role.</p><br />
<p>Technical skills include the ability to identify and minimize threats<br />
while maintaining communication with management and the rest of your<br />
team. Data analysis and evidence gathering become increasingly crucial,<br />
and the circumstances in which your services are deployed get more<br />
serious.</p><br />
Problem-solving skills are crucial at this level of incident<br />
response, and as the stakes rise, so does the pressure in each<br />
situation. At this level, programming abilities are essential since<br />
incident responders may be needed to reverse engineer malicious code or<br />
even create patches for vulnerable network applications or services. <ref name="coursera">Coursera, "10 Popular Cybersecurity Certifications [2022 Updated]". Available: https://www.coursera.org/articles/popular-cybersecurity-certifications [Accessed 28 April 2022].</ref><br />
<br />
===Senior-Level Incident Response Positions===<br />
<ul><br />
<li><h5 id="intrusion-detection-specialist">Intrusion detection<br />
specialist:</h5></li><br />
</ul><br />
<p>A CISSP certification might help a potential candidate in preparing<br />
for the profession. The role of an intrusion detection specialist is to<br />
find and stop any unwanted communications.</p><br />
<ul><br />
<li><h5 id="incident-manager">Incident manager:</h5></li><br />
</ul><br />
Expected to plan, oversee, manage, and supervise all incident<br />
response team actions. Is in charge of reporting all current events to<br />
senior management and stakeholders, as well as acting as the technical<br />
lead on active incidents for incident responders. Prepares threat and<br />
impact assessments and reports them known to management.<ref name="coursera"></ref><br />
<br />
==Certificates== <br />
There is a vast number of different certificates and the road map to<br />
being a certified professional could be very different<ref name="Coursera">Coursera, "10 Popular Cybersecurity Certifications [2022 Updated]," [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications. [Accessed 30 Apr 2022].</ref><br />
<ref name="NICCS">NICCS, "Cybersecurity Certifications," [Online]. Available: hhttps://niccs.cisa.gov/about-niccs/cybersecurity-certifications. [Accessed 30 Apr 2022].</ref> . One possible<br />
approach is to start with basic certificates from the different branches<br />
of service and move to more specific and demanding focused<br />
certification. Also, some jobs require certain clearances, either from<br />
industry, or from the government. One small selection of different<br />
possible certificates is brought out in following paragraphs.<br />
<br />
Security+ is a CompTIA certification that is considered a basic cert<br />
among cybersecurity professionals. It covers the topics of risk<br />
management and threat assessment.<br />
Network+ is also offered by CompTIA this certification (like the name<br />
implies) focuses on networking infrastructure and operations. It is<br />
considered a foundational certification.<br />
The Certified Information Systems Security Professional (CISSP) is a<br />
more advanced certification designed for cybersecurity professionals<br />
with at least five years of work experience. The certification covers<br />
topics such as architecture, engineering, and management.</p><br />
The Certified Ethical Hacker (CEH) certification is also considered a<br />
more advanced cert because it generally requires that applicants have<br />
multiple years of work experience. The goal of an ethical hacker<br />
certification is to be able to understand how cyber attacks unfold in<br />
order to improve threat assessment and mitigation skills.<ref name="cyberguide">Cybersecurity Guide, "How to become a cybersecurity specialist", [Online]. Available: https://cybersecurityguide.org/careers/security-specialist/. [Accessed 27 April 2022].</ref><br />
This is definitely not all, when one looks for more information, following link could be searched, to get more in depth knowledge about<br />
different possibilities. Hereby, with the help of this matrix a possible taxonomy of different 436 listed certificates in branches are<br />
presented.<ref name="Pauljeremy">"Cybersecurity Roadmap," [Online]. Available: https://pauljerimy.com/2020/10/12/scr-oct-2020-update/. [Accessed 30 Apr 2022].</ref><br />
<br />
[[File:analystimage5.png|1000px|thumb|Certificate matrix <ref>"Certification roadmap". Available at https://pauljerimy.com/security-certification-roadmap</ref>]]<br />
<br />
=== Communication and Network Security===<br />
Communication and network security covers the ability to secure<br />
communication channels and networks. Topics include secure and converges<br />
protocols, wireless networks, cellular networks, hardware operations<br />
(warranty and redundant power), and third-party connectivity. IP<br />
networking are also included in this domain.<br />
===Identity and Access Management===<br />
The identity and access management domain covers the attacks that<br />
target the human gateway to gain access to data. Other topics include<br />
ways to identify users with rights to access the information and<br />
servers. Identity and access management covers the topics of<br />
applications, Single sign-on authentication, privilege escalation,<br />
Kerberos, rule-based or risk-based access control, proofing and<br />
establishment of identity.<br />
===Security Architecture and Engineering===<br />
The security architecture and engineering domain covers important<br />
topics concerning security engineering plans, designs and principles,<br />
Topics include assessing and mitigating information system<br />
vulnerabilities, fundamental concepts of security models and security<br />
architectures in critical areas like access control. Cloud systems,<br />
cryptography, system infiltrations (ransomware, fault-injection and<br />
more) and virtualized systems are also covered in this domain.<br />
===Asset Security===<br />
The Asset Security domain deals with the issues related to the<br />
collection, storage, maintenance, retention and destruction of data. It<br />
also covers knowledge of different roles regarding data handling (owner,<br />
controller and custodian) as well as data protection methods and data<br />
states. Other topics include resource provision, asset classification<br />
and data lifecycle management.<br />
===Security and Risk Management===<br />
The security and risk management domain covers general on skills<br />
related to the implementation of user awareness programs as well as<br />
security procedures. Emphasis is also placed on risk management<br />
concerning the acquisition of new services, hardware and software<br />
(supply chain). Other skills include social engineering defense<br />
mechanisms.<br />
===Security Assessment and Testing===<br />
The security assessment and testing domain deals with all the<br />
techniques and tools used to find system vulnerabilities, weaknesses and<br />
potential areas of concern not addressed by security procedures and<br />
policies. Attack simulations, vulnerability assessment, compliance<br />
checks, and ethical disclosure also fall under this domain.<br />
===Software Security===<br />
The software development security domain deals with implementing<br />
software-based security protocols within environment for which the IT<br />
professional is responsible. Risk analysis, vulnerability identification<br />
and auditing of source codes are all covered in this subset. Additional<br />
topics include software-designed security, maturity models, development<br />
methodologies, open-source and third-party development security.<br />
===Security operations===<br />
The security operations domain covers topics ranging from<br />
investigations and digital forensic to detection and intrusion<br />
prevention tools, sandboxing and firewalls. Topics include user and<br />
entity behavior analytics, threat intelligence (threat hunting and<br />
threat feeds) log management, artifacts (mobile, computer and network),<br />
machine learning and AI-based tools, penetration testing, and<br />
exploitation development. These for sub-domains are lister here.</p><br />
<li>Forensics</li><br />
<li>Incident Handling</li><br />
<li>Penetration Testing</li><br />
<li>Exploitation</li><br />
<br />
==Education==<br />
[[File:Analystimage7.png|400px|thumb|Comparison degree vs Certificate <ref>"Comparison Table". Available at https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</ref>]]<br />
The entry level monitoring specialist is hired by Estonian<br />
Information System Authority even if there is no formal IT education,<br />
but readiness to learn and moderate knowledge of different operation<br />
systems is enough to start the career. <ref name="cv">cv.ee, "SEIRESPETSIALIST - tule Eesti küberruumi valvuriks!". Available: https://www.cv.ee/en/vacancy/792782/riigi-infosusteemi-amet/seirespetsialist-tule-eesti-kuberruumi-valvuriks [Accessed 28 April 2022].</ref><br />
Nevertheless, like most other high qualification careers jobs falling<br />
under the cybersecurity specialist category require some form of formal<br />
education. However, since cybersecurity specialist jobs can fall across<br />
a wide spectrum of job descriptions and responsibilities, it is possible<br />
to obtain a specialist job after completing many levels of different<br />
computer related education.<br />
<br />
If one is looking for a cybersecurity related education, for example<br />
in EU, 137 courses/programs could be found that relate to keyword IT or<br />
cybersecurity. <ref name="enisa">ENISA (European Union Agency for Cybersecurity), "Cybersecurity Education-Cybersecurity Higher Education Database". Available: https://www.enisa.europa.eu/topics/cybersecurity-education/education-map/education-courses [Accessed 26 April 2022].</ref><br />
<br />
Also, there is a great amount of discussion, if cyber security<br />
professional should have a degree or would be certification just enough.<br />
One interesting table is produces by Franklin University that compares<br />
benefits and/or drawbacks of each type of credential.<ref name="franklin">Franklin University, "Is Getting a Master's Degree in Cyber Security Worth It?". Available: https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it [Accessed 28 April 2022].</ref><br />
<br />
Certifications are generally good for people with little practical<br />
experience because they are known quantities in the industry and can<br />
help you get your foot in the door. They set a minimum knowledge bar.<br />
But some certifications are viewed more favorably than others.<br />
Certifications with renewal requirements are viewed better by hiring<br />
managers, but they also more costly in the long run because of the need<br />
for continuing education. Certifications are also good for showing<br />
in-depth expertise in a specialization within cybersecurity. Depending<br />
on your career goals, it may be advantageous to have a master’s<br />
degree—which shows your breadth of knowledge, critical thinking and<br />
leadership skills—and a certificate—which shows specific skill<br />
competency.<ref name="franklin"></ref><br />
As IT (Cyber) Security is still a relatively young discipline,<br />
universities and colleges are still figuring out which is the best<br />
approach for their degrees. Study programmes and curricula in Cyber<br />
Security are different. In general, here are the duration of Cyber<br />
Security degrees:<br />
<ref name="studyportal">Studyportals, "Why You Should Study a Cyber Security Degree in 2022". Available: https://www.mastersportal.com/articles/2722/why-you-should-study-a-cyber-security-degree-in-2022.html [Accessed 28 April 2022].</ref><br />
<ul><br />
<li><p>Bachelor’s degrees in Cyber Security take 3 or 4 years in most<br />
countries.</p></li><br />
<li><p>Master’s courses in Cyber Security take between 1-2 years to<br />
complete.</p></li><br />
<li><p>PhD programmes in Cyber Security last 3-5 years. Some only take 1<br />
or 2 years, but they are less common.</p><br />
</li><br />
</ul><br />
<br />
Generalization could me made that on bachelor level the general<br />
knowledge about the cyber issues are obtained. On master level the<br />
specialization courses are taken and the person can choose more specific<br />
topics to study. It is on master level where strengths of the cyber<br />
specialist can be developed further and up-do date knowledge obtained in<br />
specifics. PhD is serious science and involves teaching, lot of<br />
scientific work and writing for publications.<br />
<br />
==Salary==<br />
<p>Even if the salary can be very different, compared to the skills and<br />
experience, an generalization can be made. Cyber Security professionals<br />
in CSIRT, and in other entities earn quite well, from the start. First,<br />
some comparison from the United States. The average CSIRT analyst salary<br />
in the USA is $97,500 per year or $50 per hour. Entry level positions<br />
start at $48,875 per year while most experienced workers make up to<br />
$135,373 per year.</p><br />
<p>https://www.talent.com/salary?job=csirt+analyst</p><br />
<p>There are multiple positions you can occupy in this field. They have<br />
in common great salaries and high demand for technical skills, attention<br />
to details, problem-solving mentality, and the ability to analyze risks.<br />
Here are the average annual salaries in the United States, according to<br />
Payscale:</p><br />
<p>https://www.payscale.com/</p><br />
<ul><br />
<li><p>Cryptographer – 100,000 USD</p></li><br />
<li><p>Information Security Officer – 91,000 USD</p></li><br />
<li><p>Security Assessor – 90,000 USD</p></li><br />
<li><p>Security Engineer – 88,000 USD</p></li><br />
<li><p>Penetration Tester – 81,000 USD</p></li><br />
<li><p>Forensics Expert – 71,000 USD</p></li><br />
<li><p>Security Administrator – 65,000 USD</p><br />
<p>https://www.mastersportal.com/articles/2722/why-you-should-study-a-cyber-security-degree-in-2022.html</p><br />
<p>When looking into salaries in Estonia, one can find that there is a<br />
discussion that private sector is taking a toll from the public sector,<br />
and that the salaries in important agencies, as Information System<br />
Authority loose their employees to the better paid positions in private<br />
sector.</p><br />
<p>https://digi.geenius.ee/rubriik/uudis/kui-palju-riigi-jaoks-olulised-it-tootajad-tegelikult-palka-saavad/<br />
https://tehnika.postimees.ee/6887428/riigi-it-tootajate-palgamaarad-kasvasid</p><br />
<p>But there is also a different view that average private sector worker<br />
could be hired as a top specialist in public sector and then the payment<br />
is higher. Nevertheless, it seems that the average payment in cyber<br />
security sector is any way higher that in other parts of the<br />
e-services.</p><br />
<p>https://digi.geenius.ee/rubriik/uudis/5000-eurostest-palkadest-it-tootajad-saavadki-palju-palka/</p></li><br />
</ul><br />
==SOC==<br />
<p>A SOC is a facility where an organization’s network, applications,<br />
and endpoints are monitored and defended. The term was adapted from<br />
network operations centers (NOCs), where large telecommunication or<br />
corporate networks are monitored. When network security became more of a<br />
concern, security teams were formed within the NOCs, and eventually spun<br />
off into larger organizations of their own as the responsibilities of<br />
security teams grew increasingly complex and specialized. The security<br />
staff working in a security operations center are often called the SOC<br />
team.</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<p>Functions of the SOC team include, but are not limited to:</p><br />
<ol type="1"><br />
<li>Taking inventory of resources, to get a better understanding of the<br />
structure they are protecting.</li><br />
<li>Maintanence of the system, by constantly making updates and adding<br />
safeguards.</li><br />
<li>Monitoring the network for abnormalities with special tools.</li><br />
<li>Threat analysis of new attacks and vulnerabilities.</li><br />
<li>Responding to attacks, by acting as “first responders”. The SOC team<br />
will shut down and/or isolate endpoints, deleting files and lowering the<br />
impact as fast as possible.</li><br />
<li>Recovery of system stability and lost data. This may be done using<br />
backups, restarting endpoints or reconfiguring systems.</li><br />
<li>Logging all actions on the system, to be later used for analysis or<br />
forensics after an attack.</li><br />
<li>Investigating the root cause of an attack.</li><br />
<li>Auditing their own actions, to be in line with regulations of the<br />
organization, industry or governing body.</li><br />
</ol><br />
<p>https://www.trellix.com/en-us/security-awareness/operations/what-is-soc.html</p><br />
==CSIRT==<br />
<p>A CSIRT is a group that responds to security incidents when they<br />
occur. Key responsibilities of a CSIRT include: <br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<ul><br />
===Creating and maintaining an incident response plan (IRP)===<br />
An incident response plan (IRP) is a set of written instructions for<br />
detecting, responding to and limiting the effects of an information<br />
security event. Incident response plans provide instructions for<br />
responding to many potential scenarios, including data breaches, denial<br />
of service/distributed denial of service attacks, firewall breaches,<br />
virus or malware outbreaks or insider threats. Without an incident<br />
response plan in place, organizations may either not detect the attack<br />
in the first place, or not follow proper protocol to contain the threat<br />
and recover from it when a breach is detected.<br />
<p>https://www.stratacore.com/incidentresponseplan</p></li><br />
===Investigating and analyzing incidents===<br />
CSIRTs are also involved in improvement activities. After major<br />
computer security incidents occur, or when incidents are not handled in<br />
a timely or effective manner, a CSIRT will generally perform a<br />
postmortem of the incident and its response. This postmortem will<br />
identify the strengths and weakness of the response effort. Such reviews<br />
can identify weaknesses and holes in systems, infrastructure defenses,<br />
or policies that allowed the incident to take place. It can also<br />
identify problems with communication channels, interfaces, and<br />
procedures that inhibited the efficient resolution of the reported<br />
problem.<br />
<p>https://www.cisa.gov/uscert/bsi/articles/best-practices/incident-management/defining-computer-security-incident-response-teams</p><br />
<br />
===Managing internal communications and updates during or immediately after incidents occur===<br />
===Communicating with employees, shareholders, customers, and the press about incidents as needed===<br />
<p>There are various services within the CSIRT Services Framework that<br />
address communications, as they relate to security operations and<br />
incident response services. Some of these include Information Security<br />
Incident Coordination, Crisis Management Support, Vulnerability<br />
Disclosure, Situational Awareness Communication, and Awareness Building,<br />
to name a few. Sharing information and communicating with the general<br />
public and/or your constituency is appropriate in many different<br />
scenarios. These can range from proactive communications to reactive<br />
communications. Each scenario may be unique, and careful consideration<br />
should be given to when to release information to the public and what<br />
information should be released.</p><br />
<br />
<p>https://resources.sei.cmu.edu/asset_files/Handbook/2021_002_001_651819.pdf</p><br />
<br />
===Remediating incidents===<br />
Threat remediation is a strong and capable tool for fighting the<br />
cyber security compromises. As the word ‘remedy’ suggests, remediation<br />
process involves the treatment of a security breach. With the<br />
remediation practices, your cyber security team is able to eliminate<br />
suspicious activities and malicious attacks in the form of malware,<br />
ransomware, phishing and such. Even if you ‘kill’ the suspicious<br />
activity, the attackers can remain in your systems. If you want to<br />
contaminate and end the problem for good, your remediation processes<br />
must involve the detection of the cause. <ref name="logsign">Logsign, "What-is-remediation-in-cyber-security". Available: https://www.logsign.com/blog/what-is-remediation-in-cyber-security/. [Accessed 28 Apr 2022].</ref><br />
<br />
===Recommending technology, policy, governance, and training changes after security incidents===<br />
After all these actions, the SCIRT must contribute to the development<br />
of better policies, practices and has to recommend improvements. They<br />
are not working in the vacuum and their work has to create new and<br />
better standards for cyber security. <ref name="exabeam">Exabeam, "CSIRT". Available: https://www.exabeam.com/incident-response/csirt/ [Accessed 28 APr 2022].</ref><br />
<br />
==CERT==<br />
<p>The term “computer emergency response team” was coined in 1988. In<br />
response to the Morris worm attack that impacted thousands of servers on<br />
the Internet, DARPA funded the formation of the Computer Emergency<br />
Response Team Coordination Center (CERT-CC) at Carnegie Mellon<br />
University. The goal of CERT-CC was to help protect the internet by<br />
collecting and disseminating information on critical security<br />
vulnerabilities. Several other countries formed similar centers using<br />
the same acronym (despite threats of legal action by Carnegie Mellon for<br />
trademark infringement). Now the term CERT refers to any emergency<br />
response team that deals with cyber threats. Many people use CERT-CC<br />
interchangeably with CSIRT, though the charter of a CERT is information<br />
sharing in order to help other response teams respond to threats against<br />
their own infrastructure.</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<p>In general, the designation of CERT is helpful in applying real-world<br />
solutions to various cybersecurity problems. They may be government<br />
contractors or employees of a major corporation. For example, the U.S.<br />
Computer Emergency Readiness Team (US-CERT) operates under the U.S.<br />
Department of Homeland Security.</p><br />
<p>https://www.techopedia.com/definition/31003/computer-emergency-response-team-cert</p><br />
<p>In Estonia CERT is designated as CERT-EE. It was established in 2006,<br />
as an organization responsible for the management of security incidents<br />
in .ee computer networks. It is also a national contact point for<br />
international co-operation in the field of IT security.</p><br />
<p>https://www.ria.ee/en/cyber-security/cert-ee.html</p><br />
===Difference between SOC/CSIRT/CERT===<br />
<p>How CSIRTs differ from CERTs and SOCs There are overlapping<br />
responsibilities between a community emergency response team (CERT),<br />
computer security incident response team (CSIRT), and security<br />
operations center (SOC). To add to this confusion, frequently, the terms<br />
CERT and CSIRT are used interchangeably, despite the important<br />
differences.</p><br />
<figure><br />
<img src="images/image3.png" alt="Overlapping in images/image3.png" /><br />
<figcaption aria-hidden="true">Overlapping in<br />
images/image3.png</figcaption><br />
</figure><br />
==Understand the primary roles and characteristics of a CERT, CSIRT, and SOC.==<br />
<p>So, using strict definitions, a CERT collects and disseminates<br />
security information, typically for the benefit of a country or an<br />
industry. A CSIRT is a cross-functional team that responds to incidents<br />
on behalf of a country or an organization. A SOC is where a country or<br />
organization monitors and defends its network, servers, applications,<br />
and endpoints.</p><br />
<figure><br />
<img src="images/image4.png" alt="table of explanation images/image4" /><br />
<figcaption aria-hidden="true">table of explanation<br />
images/image4</figcaption><br />
</figure><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
==Future==<br />
<p>And the Cyber security problem is only getting bigger. According to a<br />
report published by Accenture, the number of cyber security breaches<br />
increased by 11 percent from 2017 to 2018. The cost of such breaches is<br />
astronomical–about $600 billion worldwide, according to the Economic<br />
Impact of Cybercrime report.</p><br />
<p>https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me</p><br />
<p>Job projections for cybersecurity are staggering. The Bureau of Labor<br />
Statistics in US predicts that careers in the cybersecurity field will<br />
grow by 32% by 2028. That makes cybersecurity one of the top 10<br />
fastest-growing jobs in the country. In the United States alone, jobs<br />
for Information Security Analysts are expected to grow by 15% by<br />
2024.</p><br />
<p>https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</p><br />
<p>Most likely this trend is also similar in other countries.</p><br />
<p>When checking Estonian job portals, there is a constant need for<br />
people for cyber security related positions. Also, linkedin search gives<br />
approximately 30 vacancies immediately. There are banks, logistics<br />
companies, e-shops, and software producers.</p><br />
<p>https://ee.linkedin.com/jobs/cyber-security-jobs?countryRedirected=1&amp;position=1&amp;pageNum=0</p><br />
<p>Trends that affect companies create need for constant cyber security<br />
services. Increasing number of home/remote offices require secure<br />
corporate networks and security of remote devices. One example is from<br />
this year, when sloppy remote desktop set-up paralyzed systems of 17<br />
companies.</p><br />
<p>https://www.aripaev.ee/uudised/2022/04/20/ria-lohakas-kaugtoolaua-seadistus-halvas-martsis-vahemalt-17-juhul-ettevotete-it-susteemid</p><br />
<p>Also, no service can exists without robust infrastructure - servers,<br />
databases, applications. As all previously mentioned devices and<br />
services are at constant scanning and surveillance. So, the breach<br />
detection and immediate action demands 24/7 services. Even if lot of<br />
things could be automated, there is a need for human specialists (at<br />
least, at the moment). Third growing field is also a forensic<br />
investigation, as every attack must be investigated in order to be ready<br />
to repel next attacks. So data recovery and evidence collection is<br />
another important field of work that need skilled and professional<br />
workers.</p><br />
<p>Even, if the specifics of the entity, be it CSIRT, CERT or SOC, are<br />
different, the fundamentals of the work are the same. Professional<br />
knowledge of the networks, operational systems, hardware, scripting, and<br />
several other wider IT related knowledge is needed. As there is no<br />
single way to reach to it, every single person can find one’s strongest<br />
sides and develop them with knowledge of weaker side, in order to know,<br />
when to as for help.</p><br />
<br />
</body><br />
</html></div>Mavaldhttps://wiki.itcollege.ee/index.php?title=Hiring_a_Cyber_Security_Incident_Analyst&diff=142214Hiring a Cyber Security Incident Analyst2022-05-01T15:36:55Z<p>Mavald: /* Education */</p>
<hr />
<div>==A Cyber Security Incident Analyst==<br />
<br />
[[File:image1.png|600px|thumb|Job advertisement <ref>"Job Advertisement". Available at https://www.projectpeople.com/jobs/</ref>]]<br />
===Cyber security incident analyst in SOC/CSIRT/CERT===<br />
This article delves into the job title of Cyber Security Incident<br />
Analyst and provides an overview of the acronyms SOC/CSIRT/CERT. A brief<br />
history of the job is discussed here, as well as a possible career path,<br />
education, experience, and other characteristics required for work in<br />
computer security-related organizations. The article also provides a<br />
brief history of SOC/CSIRT/CERT, as well as a comparison of their<br />
differences and similarities.<br />
===Cyber Security Incident Analyst Skill Set===<br />
What skill set is expected from the Cyber Security Incident Analyst? Below written lines are taken from the same job advertisement depicted<br />
on the left side of this article:<br />
As a Security Incident Analyst your responsibilities will include:<br />
<ul><br />
<li>Continuous monitoring of security tooling</li><br />
<li>Performing regular and ad-hoc vulnerability assessments</li><br />
<li>Carrying out ‘spot checks’</li><br />
<li>Reporting vulnerabilities to the PVG via the alerts system</li><br />
<li>Maintaining and documenting logging systems</li><br />
<li>Developing centralized logging, reporting and intelligence<br />
platforms</li><br />
<li>‘Light touch’ penetration testing with open source tooling<br />
(Metasploit)</li><br />
</ul><br />
Knowledge &amp; Experience required:<br />
<ul><br />
<li>SOC, CSIRT or CERT operational environment experience</li><br />
<li>Windows / Linux experience</li><br />
<li>TCP /IP networking protocol knowledge</li><br />
<li>Experience reviewing and analyzing Security Events from various<br />
monitoring and logging sources</li><br />
<li>Experience in website and web application security assessment or<br />
penetration testing</li><br />
<li>Experience of using Metasploit</li><br />
<li>Scripting knowledge using BASH, Python, Perl, Ruby</li><br />
<li>Skills in Host and Network Forensics</li><br />
</ul><br />
As one can see the description of the duties is wide and also the<br />
knowledge and experience that is required is noteworthy. So, where to<br />
start to find out the way to get this kind of knowledge and<br />
expertize.<br />
===Possible career path===<br />
Next part of the paper is aiming to depict a possible ways, how to<br />
develop oneself, and move along the career pathway in cybersecurity<br />
field. Topics of development, education, experience and certification<br />
are covered.<br />
[[File:analystimage2.png|1000px|thumb|Career path <ref>"Possible Career Path". Available at https://www.cyberseek.org/pathway.html</ref>]]<br />
<br />
===Junior/Senior===<br />
Start with an entry-level job in IT. Hands-on experience is often the<br />
most effective way to prepare for certification exams. Start<br />
accumulating work experience with an entry-level role as a cybersecurity<br />
analyst. Many cybersecurity professionals start off in more general IT<br />
roles. The skills, practices, and technologies you’ll use as a<br />
cybersecurity professional will continue to evolve along with computer<br />
and network technology. The desire to learn, ability to problem solve,<br />
and attention to detail will serve you well in this field. Other, more<br />
technical skills and technologies to learn include:<ref name="certification">Popular Cyber Security Certificates [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications [Accessed 25 April 2022].</ref><br />
<br />
====SIEM tools (security information and event management)====<br />
Security Information and Event Management (SIEM) is a set of tools<br />
and services offering a holistic view of an organization’s information<br />
security. SIEM works by combining two technologies:<br />
<li>Security information management (SIM), which collects data from log<br />
files for analysis and reports on security threats and events, and</li><br />
<li>security event management (SEM), which conducts real-time system<br />
monitoring, notifies network admins about important issues and<br />
establishes correlations between security events. There are a number of<br />
security information and event management solutions on the market.<br />
ArcSight ESM, IBM QRadar and Splunk are among the most popular. <ref name="SIEM">Application security, SIEM [Online]. Available: https://www.imperva.com/learn/application-security/siem/. [Accessed 27 4 2022].</ref></li><br />
<br />
====Firewalls, Intrusion Detection Systems (IDS), and Intrusion Prevention Systems(IPS)====<br />
Firewalls can be two types, hardware and software firewalls. Software<br />
firewall is a firewall that is installed on a computer or server, and<br />
tasked with network security. It works with a wide variety of other<br />
technology security solutions to provide more robust and cohesive<br />
security for enterprises of all sizes. When a software firewall is<br />
installed on a server, it opens up like an umbrella of protection over<br />
all other computers connected to the network. It is able to monitor both<br />
incoming and outgoing traffic for potential risk or suspicious user<br />
behavior, and also makes setting security policies much easier, faster<br />
and more flexible. Hardware firewall is positioned between the network<br />
and devices, allowing traffic to funnel through the firewall for a close<br />
inspection and analysis. A hardware firewall, a term often<br />
interchangeable with network or next-generation firewall, protects the<br />
network gateways for an enterprise. Hardware firewall is physical<br />
hardware, installed between network elements and connected devices, and<br />
is tasked with filtering traffic for cyber threat to the network or<br />
devices. Filtering out unauthorized or suspicious users based on traffic<br />
analysis is one of the biggest benefits of hardware firewall. <ref name="sangfor">Sangfor, "What is Software Firewall? Difference between Hardware Firewall and Software Firewall, [Online]. Available: https://www.sangfor.com/blog/cybersecurity/what-is-software-firewall-difference-between-hardware-firewall-and-software-firewall [Accessed 26 4 2022].</ref><br />
<br />
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems<br />
(IPS) are both parts of the network infrastructure. IDS/IPS compare<br />
network packets to a cyberthreat database containing known signatures of<br />
cyberattacks — and flag any matching packets. IDS doesn’t alter the<br />
network packets in any way, whereas IPS prevents the packet from<br />
delivery based on the contents of the packet, much like how a firewall<br />
prevents traffic by IP address. <ref name="Varonis">Varonis, "What is Software Firewall? IDS vs. IPS: What is the Difference?, [Online]. Available: https://www.varonis.com/blog/ids-vs-ips [Accessed 26 4 2022].</ref><br />
<br />
====Digital forensics====<br />
Digital forensics is a branch of forensic science that focuses on<br />
identifying, acquiring, processing, analyzing, and reporting on data<br />
stored electronically. Electronic evidence is a component of almost all<br />
criminal activities and digital forensics support is crucial for law<br />
enforcement investigations. Electronic evidence can be collected from a<br />
wide array of sources, such as computers, smartphones, remote storage,<br />
unmanned aerial systems, shipborne equipment, and more.<ref name="interpol">Interpol, "Digital forensics". Available: https://www.interpol.int/How-we-work/Innovation/Digital-forensics. [Accessed 28 4 2022].</ref> <br />
Investigative process of digital forensics can be divided into several stages. There are four major stages: preservation, collection,<br />
examination, and analysis. All these four stages need a deep understanding of computers, technology across a broad spectrum, and cybersecurity principles and<br />
practices, a working knowledge of computers, networks, and coding, in-depth investigative abilities, critical-thinking skills and analytical talent the ability to effectively communicate and work with a<br />
wide range of people. <ref name="ecpi">"Digital forensics". Available: https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me. [Accessed 26 4 2022].</ref><br />
<br />
====Mobile device management====<br />
Mobile device management (MDM) is software that allows IT<br />
administrators to control, secure and enforce policies on smartphones,<br />
tablets and other endpoints. Mobile device management software emerged<br />
in the early 2000s as a way to control and secure the personal digital<br />
assistants and smartphones that business workers began to use. The<br />
consumer smartphone boom that started with the launch of the Apple<br />
iPhone in 2007 led to the bring your own device (BYOD) trend, which<br />
fueled further interest in MDM.<ref name="techtarget">Techtarget, "Mobile Device Management". Available: https://www.techtarget.com/searchmobilecomputing/definition/mobile-device-management [Accessed 27 4 2022].</ref><br />
<br />
====Data management====<br />
Sometimes the data management is neglected, but this part has a<br />
crucial role when learning for good cyber security practices. Majority<br />
of cyber security programs include a special courses on data management.<br />
Data management is a method of organizing and maintaining data processes<br />
that are required in almost every business operations. The benefits of<br />
data management can be found accounting, statistics, logistics planning<br />
and other disciplines including corporate computing.<ref name="GlobalUni">Global Universities, "MSc Data Management and Cyber Security". Available: https://globaluniversities.in/msc-data-management-cyber-security. [Accessed 26 Apr 2022].</ref><br />
Data governance (and management) play a fundamental role in<br />
protecting an organization’s data. Ensuring that the right people have<br />
the right access and that appropriate security controls are in place to<br />
protect each system or service, based on the criticality or sensitivity<br />
of the data sets these contain. <ref name="CyberMagazine">Cyber Security Magazine, "The Role of Data Governance in Cybersecurity". Available: https://cybersecurity-magazine.com/the-role-of-data-governance-in-cybersecurity/?utm_source=rss&amp;utm_medium=rss&amp;utm_campaign=the-role-of-data-governance-in-cybersecurity. [Accessed 26 Apr 2022].</ref><br />
<br />
====Application security development====<br />
Application security describes security measures at the application<br />
level that aim to prevent data or code within the app from being stolen<br />
or hijacked. It encompasses the security considerations that happen<br />
during application development and design, but it also involves systems<br />
and approaches to protect apps after they get deployed. Application<br />
security may include hardware, software, and procedures that identify or<br />
minimize security vulnerabilities.<ref name="vmware">VmWare, "What is application security?". Available: https://www.vmware.com/topics/glossary/content/application-security.html [Accessed 28 April 2022].</ref><br />
Application security development is important to ensure that your<br />
application is free from coding errors and bugs. And controls the risk<br />
and helps safeguard against security vulnerabilities. Application<br />
security development is the process of making applications more secure<br />
by finding and fixing security vulnerabilities. This is often done by<br />
enforcing software security best practices and using application<br />
security testing tools. <br />
<ref name="perforce">Perforce, "Application Security Development Best Practices". Available: https://www.perforce.com/blog/kw/application-security-development-best-practices. [Accessed 28 April 2022].</ref><br />
<br />
====Audit and compliance knowledge====<br />
A cyber security audit is designed to be a comprehensive review and<br />
analysis of your business’s IT infrastructure. It identifies threats and<br />
vulnerabilities, exposing weaknesses and high-risk practices.<br />
Regulations such as the EU GDPR (General Data Protection Regulation) can<br />
impose hefty penalties in the event of a breach that results in<br />
exploited data. A cyber security audit will help mitigate the<br />
consequences of a breach and demonstrate that your organization has<br />
taken the necessary steps to protect client and company data. <ref name="cyforsecure">Cyfor Secure, "What is a Cyber Security Audit and how can it help your organisation?". Available: https://cyforsecure.co.uk/services/cyber-assessment/cyber-security-audit/. [Accessed 28 April 2022].</ref><br />
<br />
Cybersecurity compliance is the organizational risk management method<br />
aligned with pre-defined security measures &amp; controls on how data<br />
confidentiality is ensured by its administrative procedures.<ref name="nordlayer">NordLayer, "Cybersecurity compliance: Everything you need to know". Available: https://nordlayer.com/blog/cybersecurity-compliance-everything-you-need-to-know/. [Accessed 28 April 2022].</ref><br />
All needed skills are developed through courses and certification.<br />
<br />
===Entry-Level Incident Response Positions===<br />
It is not always possible to advance to the position of incident<br />
responder in a straight line. Many professionals advance from entry- to<br />
mid-level positions before becoming a real incident responder or a<br />
member of a computer emergency response team (CERT).<br /><br />
These are some examples: <ref name="Infosec">Infosec, "Incident Responder Career Roadmap: From Entry Level to Executive". Available: https://resources.infosecinstitute.com/topic/incident-responder-career-roadmap-entry-level-executive/ [Accessed 28 April 2022].</ref></p><br />
<ul><br />
<li><h5 id="network-administrator">Network administrator</h5><br />
<p>This position’s experience will help potential incident responders<br />
develop networking skills. Attention to detail, as well as the ability<br />
to sift through system configurations, site layouts, and general network<br />
and communication setups, are essential in this field.</p></li><br />
<li><h5 id="system-administrator">System administrator</h5><br />
<p>Another crucial beginning point for an incident responder is to learn<br />
how to manage resources inside your organization as well as user<br />
behavior. Understanding the potential damage that users, inadequate<br />
security setups, and ineffective IT policies and procedures can cause on<br />
your network can provide prospective candidates with insight into the<br />
human component of an incident.</p></li><br />
<li><h5 id="security-administrator">Security administrator</h5><br />
<p>In such a position, basic hacking skills, penetration testing, and<br />
intrusion detection are all learned, which are crucial incident<br />
responder skills when trying to replicate a breach or attack.<br />
Understanding the paths a cybercriminal will take when attempting to<br />
damage or obtain access to a system can greatly simplify the work of<br />
reverse engineering the incident.</p></li><br />
</ul><br />
<br />
=== Mid-Level Incident Response Positions ===<br />
<ul><br />
<li><h5<br />
id="computer-security-incident-response-team-csirt-engineer">Computer<br />
security incident response team (CSIRT) engineer</h5></li><br />
<li><h5 id="cyber-incident-responder">Cyber incident responder</h5></li><br />
<li><h5 id="incident-response-engineer">Incident response<br />
engineer</h5></li><br />
</ul><br />
<p>While each of these positions is different, they generally require<br />
very similar skills and characteristics in a candidate. At this level,<br />
personal characteristics such as problem solving, time management, and<br />
even presentation skills become more crucial as one’s career evolves<br />
into a management-facing role.</p><br />
<p>Technical skills include the ability to identify and minimize threats<br />
while maintaining communication with management and the rest of your<br />
team. Data analysis and evidence gathering become increasingly crucial,<br />
and the circumstances in which your services are deployed get more<br />
serious.</p><br />
Problem-solving skills are crucial at this level of incident<br />
response, and as the stakes rise, so does the pressure in each<br />
situation. At this level, programming abilities are essential since<br />
incident responders may be needed to reverse engineer malicious code or<br />
even create patches for vulnerable network applications or services. <ref name="coursera">Coursera, "10 Popular Cybersecurity Certifications [2022 Updated]". Available: https://www.coursera.org/articles/popular-cybersecurity-certifications [Accessed 28 April 2022].</ref><br />
<br />
===Senior-Level Incident Response Positions===<br />
<ul><br />
<li><h5 id="intrusion-detection-specialist">Intrusion detection<br />
specialist:</h5></li><br />
</ul><br />
<p>A CISSP certification might help a potential candidate in preparing<br />
for the profession. The role of an intrusion detection specialist is to<br />
find and stop any unwanted communications.</p><br />
<ul><br />
<li><h5 id="incident-manager">Incident manager:</h5></li><br />
</ul><br />
Expected to plan, oversee, manage, and supervise all incident<br />
response team actions. Is in charge of reporting all current events to<br />
senior management and stakeholders, as well as acting as the technical<br />
lead on active incidents for incident responders. Prepares threat and<br />
impact assessments and reports them known to management.<ref name="coursera"></ref><br />
<br />
==Certificates== <br />
There is a vast number of different certificates and the road map to<br />
being a certified professional could be very different<ref name="Coursera">Coursera, "10 Popular Cybersecurity Certifications [2022 Updated]," [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications. [Accessed 30 Apr 2022].</ref><br />
<ref name="NICCS">NICCS, "Cybersecurity Certifications," [Online]. Available: hhttps://niccs.cisa.gov/about-niccs/cybersecurity-certifications. [Accessed 30 Apr 2022].</ref> . One possible<br />
approach is to start with basic certificates from the different branches<br />
of service and move to more specific and demanding focused<br />
certification. Also, some jobs require certain clearances, either from<br />
industry, or from the government. One small selection of different<br />
possible certificates is brought out in following paragraphs.<br />
<br />
Security+ is a CompTIA certification that is considered a basic cert<br />
among cybersecurity professionals. It covers the topics of risk<br />
management and threat assessment.<br />
Network+ is also offered by CompTIA this certification (like the name<br />
implies) focuses on networking infrastructure and operations. It is<br />
considered a foundational certification.<br />
The Certified Information Systems Security Professional (CISSP) is a<br />
more advanced certification designed for cybersecurity professionals<br />
with at least five years of work experience. The certification covers<br />
topics such as architecture, engineering, and management.</p><br />
The Certified Ethical Hacker (CEH) certification is also considered a<br />
more advanced cert because it generally requires that applicants have<br />
multiple years of work experience. The goal of an ethical hacker<br />
certification is to be able to understand how cyber attacks unfold in<br />
order to improve threat assessment and mitigation skills.<ref name="cyberguide">Cybersecurity Guide, "How to become a cybersecurity specialist", [Online]. Available: https://cybersecurityguide.org/careers/security-specialist/. [Accessed 27 April 2022].</ref><br />
This is definitely not all, when one looks for more information, following link could be searched, to get more in depth knowledge about<br />
different possibilities. Hereby, with the help of this matrix a possible taxonomy of different 436 listed certificates in branches are<br />
presented.<ref name="Pauljeremy">"Cybersecurity Roadmap," [Online]. Available: https://pauljerimy.com/2020/10/12/scr-oct-2020-update/. [Accessed 30 Apr 2022].</ref><br />
<br />
[[File:analystimage5.png|1000px|thumb|Certificate matrix <ref>"Certification roadmap". Available at https://pauljerimy.com/security-certification-roadmap</ref>]]<br />
<br />
=== Communication and Network Security===<br />
Communication and network security covers the ability to secure<br />
communication channels and networks. Topics include secure and converges<br />
protocols, wireless networks, cellular networks, hardware operations<br />
(warranty and redundant power), and third-party connectivity. IP<br />
networking are also included in this domain.<br />
===Identity and Access Management===<br />
The identity and access management domain covers the attacks that<br />
target the human gateway to gain access to data. Other topics include<br />
ways to identify users with rights to access the information and<br />
servers. Identity and access management covers the topics of<br />
applications, Single sign-on authentication, privilege escalation,<br />
Kerberos, rule-based or risk-based access control, proofing and<br />
establishment of identity.<br />
===Security Architecture and Engineering===<br />
The security architecture and engineering domain covers important<br />
topics concerning security engineering plans, designs and principles,<br />
Topics include assessing and mitigating information system<br />
vulnerabilities, fundamental concepts of security models and security<br />
architectures in critical areas like access control. Cloud systems,<br />
cryptography, system infiltrations (ransomware, fault-injection and<br />
more) and virtualized systems are also covered in this domain.<br />
===Asset Security===<br />
The Asset Security domain deals with the issues related to the<br />
collection, storage, maintenance, retention and destruction of data. It<br />
also covers knowledge of different roles regarding data handling (owner,<br />
controller and custodian) as well as data protection methods and data<br />
states. Other topics include resource provision, asset classification<br />
and data lifecycle management.<br />
===Security and Risk Management===<br />
The security and risk management domain covers general on skills<br />
related to the implementation of user awareness programs as well as<br />
security procedures. Emphasis is also placed on risk management<br />
concerning the acquisition of new services, hardware and software<br />
(supply chain). Other skills include social engineering defense<br />
mechanisms.<br />
===Security Assessment and Testing===<br />
The security assessment and testing domain deals with all the<br />
techniques and tools used to find system vulnerabilities, weaknesses and<br />
potential areas of concern not addressed by security procedures and<br />
policies. Attack simulations, vulnerability assessment, compliance<br />
checks, and ethical disclosure also fall under this domain.<br />
===Software Security===<br />
The software development security domain deals with implementing<br />
software-based security protocols within environment for which the IT<br />
professional is responsible. Risk analysis, vulnerability identification<br />
and auditing of source codes are all covered in this subset. Additional<br />
topics include software-designed security, maturity models, development<br />
methodologies, open-source and third-party development security.<br />
===Security operations===<br />
The security operations domain covers topics ranging from<br />
investigations and digital forensic to detection and intrusion<br />
prevention tools, sandboxing and firewalls. Topics include user and<br />
entity behavior analytics, threat intelligence (threat hunting and<br />
threat feeds) log management, artifacts (mobile, computer and network),<br />
machine learning and AI-based tools, penetration testing, and<br />
exploitation development. These for sub-domains are lister here.</p><br />
<li>Forensics</li><br />
<li>Incident Handling</li><br />
<li>Penetration Testing</li><br />
<li>Exploitation</li><br />
<br />
==Education==<br />
[[File:Analystimage7.png|400px|thumb|Comparison degree vs Certificate <ref>"Comparison Table". Available at https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</ref>]]<br />
The entry level monitoring specialist is hired by Estonian<br />
Information System Authority even if there is no formal IT education,<br />
but readiness to learn and moderate knowledge of different operation<br />
systems is enough to start the career. <ref name="cv">cv.ee, "SEIRESPETSIALIST - tule Eesti küberruumi valvuriks!". Available: https://www.cv.ee/en/vacancy/792782/riigi-infosusteemi-amet/seirespetsialist-tule-eesti-kuberruumi-valvuriks [Accessed 28 April 2022].</ref><br />
Nevertheless, like most other high qualification careers jobs falling<br />
under the cybersecurity specialist category require some form of formal<br />
education. However, since cybersecurity specialist jobs can fall across<br />
a wide spectrum of job descriptions and responsibilities, it is possible<br />
to obtain a specialist job after completing many levels of different<br />
computer related education.<br />
<br />
If one is looking for a cybersecurity related education, for example<br />
in EU, 137 courses/programs could be found that relate to keyword IT or<br />
cybersecurity. <ref name="enisa">ENISA (European Union Agency for Cybersecurity), "Cybersecurity Education-Cybersecurity Higher Education Database". Available: https://www.enisa.europa.eu/topics/cybersecurity-education/education-map/education-courses [Accessed 26 April 2022].</ref><br />
<br />
Also, there is a great amount of discussion, if cyber security<br />
professional should have a degree or would be certification just enough.<br />
One interesting table is produces by Franklin University that compares<br />
benefits and/or drawbacks of each type of credential.<br />
<br />
<ref name="franklin">Franklin University, "Is Getting a Master's Degree in Cyber Security Worth It?". Available: https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it [Accessed 28 April 2022].</ref><br />
Certifications are generally good for people with little practical<br />
experience because they are known quantities in the industry and can<br />
help you get your foot in the door. They set a minimum knowledge bar.<br />
But some certifications are viewed more favorably than others.<br />
Certifications with renewal requirements are viewed better by hiring<br />
managers, but they also more costly in the long run because of the need<br />
for continuing education. Certifications are also good for showing<br />
in-depth expertise in a specialization within cybersecurity. Depending<br />
on your career goals, it may be advantageous to have a master’s<br />
degree—which shows your breadth of knowledge, critical thinking and<br />
leadership skills—and a certificate—which shows specific skill<br />
competency.<ref name="franklin"></ref><br />
As IT (Cyber) Security is still a relatively young discipline,<br />
universities and colleges are still figuring out which is the best<br />
approach for their degrees. Study programmes and curricula in Cyber<br />
Security are different. In general, here are the duration of Cyber<br />
Security degrees:<br />
<ref name="studyportal">Studyportals, "Why You Should Study a Cyber Security Degree in 2022". Available: https://www.mastersportal.com/articles/2722/why-you-should-study-a-cyber-security-degree-in-2022.html [Accessed 28 April 2022].</ref><br />
<ul><br />
<li><p>Bachelor’s degrees in Cyber Security take 3 or 4 years in most<br />
countries.</p></li><br />
<li><p>Master’s courses in Cyber Security take between 1-2 years to<br />
complete.</p></li><br />
<li><p>PhD programmes in Cyber Security last 3-5 years. Some only take 1<br />
or 2 years, but they are less common.</p><br />
</li><br />
</ul><br />
<br />
Generalization could me made that on bachelor level the general<br />
knowledge about the cyber issues are obtained. On master level the<br />
specialization courses are taken and the person can choose more specific<br />
topics to study. It is on master level where strengths of the cyber<br />
specialist can be developed further and up-do date knowledge obtained in<br />
specifics. PhD is serious science and involves teaching, lot of<br />
scientific work and writing for publications.<br />
<br />
==Salary==<br />
<p>Even if the salary can be very different, compared to the skills and<br />
experience, an generalization can be made. Cyber Security professionals<br />
in CSIRT, and in other entities earn quite well, from the start. First,<br />
some comparison from the United States. The average CSIRT analyst salary<br />
in the USA is $97,500 per year or $50 per hour. Entry level positions<br />
start at $48,875 per year while most experienced workers make up to<br />
$135,373 per year.</p><br />
<p>https://www.talent.com/salary?job=csirt+analyst</p><br />
<p>There are multiple positions you can occupy in this field. They have<br />
in common great salaries and high demand for technical skills, attention<br />
to details, problem-solving mentality, and the ability to analyze risks.<br />
Here are the average annual salaries in the United States, according to<br />
Payscale:</p><br />
<p>https://www.payscale.com/</p><br />
<ul><br />
<li><p>Cryptographer – 100,000 USD</p></li><br />
<li><p>Information Security Officer – 91,000 USD</p></li><br />
<li><p>Security Assessor – 90,000 USD</p></li><br />
<li><p>Security Engineer – 88,000 USD</p></li><br />
<li><p>Penetration Tester – 81,000 USD</p></li><br />
<li><p>Forensics Expert – 71,000 USD</p></li><br />
<li><p>Security Administrator – 65,000 USD</p><br />
<p>https://www.mastersportal.com/articles/2722/why-you-should-study-a-cyber-security-degree-in-2022.html</p><br />
<p>When looking into salaries in Estonia, one can find that there is a<br />
discussion that private sector is taking a toll from the public sector,<br />
and that the salaries in important agencies, as Information System<br />
Authority loose their employees to the better paid positions in private<br />
sector.</p><br />
<p>https://digi.geenius.ee/rubriik/uudis/kui-palju-riigi-jaoks-olulised-it-tootajad-tegelikult-palka-saavad/<br />
https://tehnika.postimees.ee/6887428/riigi-it-tootajate-palgamaarad-kasvasid</p><br />
<p>But there is also a different view that average private sector worker<br />
could be hired as a top specialist in public sector and then the payment<br />
is higher. Nevertheless, it seems that the average payment in cyber<br />
security sector is any way higher that in other parts of the<br />
e-services.</p><br />
<p>https://digi.geenius.ee/rubriik/uudis/5000-eurostest-palkadest-it-tootajad-saavadki-palju-palka/</p></li><br />
</ul><br />
==SOC==<br />
<p>A SOC is a facility where an organization’s network, applications,<br />
and endpoints are monitored and defended. The term was adapted from<br />
network operations centers (NOCs), where large telecommunication or<br />
corporate networks are monitored. When network security became more of a<br />
concern, security teams were formed within the NOCs, and eventually spun<br />
off into larger organizations of their own as the responsibilities of<br />
security teams grew increasingly complex and specialized. The security<br />
staff working in a security operations center are often called the SOC<br />
team.</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<p>Functions of the SOC team include, but are not limited to:</p><br />
<ol type="1"><br />
<li>Taking inventory of resources, to get a better understanding of the<br />
structure they are protecting.</li><br />
<li>Maintanence of the system, by constantly making updates and adding<br />
safeguards.</li><br />
<li>Monitoring the network for abnormalities with special tools.</li><br />
<li>Threat analysis of new attacks and vulnerabilities.</li><br />
<li>Responding to attacks, by acting as “first responders”. The SOC team<br />
will shut down and/or isolate endpoints, deleting files and lowering the<br />
impact as fast as possible.</li><br />
<li>Recovery of system stability and lost data. This may be done using<br />
backups, restarting endpoints or reconfiguring systems.</li><br />
<li>Logging all actions on the system, to be later used for analysis or<br />
forensics after an attack.</li><br />
<li>Investigating the root cause of an attack.</li><br />
<li>Auditing their own actions, to be in line with regulations of the<br />
organization, industry or governing body.</li><br />
</ol><br />
<p>https://www.trellix.com/en-us/security-awareness/operations/what-is-soc.html</p><br />
==CSIRT==<br />
<p>A CSIRT is a group that responds to security incidents when they<br />
occur. Key responsibilities of a CSIRT include: <br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<ul><br />
===Creating and maintaining an incident response plan (IRP)===<br />
An incident response plan (IRP) is a set of written instructions for<br />
detecting, responding to and limiting the effects of an information<br />
security event. Incident response plans provide instructions for<br />
responding to many potential scenarios, including data breaches, denial<br />
of service/distributed denial of service attacks, firewall breaches,<br />
virus or malware outbreaks or insider threats. Without an incident<br />
response plan in place, organizations may either not detect the attack<br />
in the first place, or not follow proper protocol to contain the threat<br />
and recover from it when a breach is detected.<br />
<p>https://www.stratacore.com/incidentresponseplan</p></li><br />
===Investigating and analyzing incidents===<br />
CSIRTs are also involved in improvement activities. After major<br />
computer security incidents occur, or when incidents are not handled in<br />
a timely or effective manner, a CSIRT will generally perform a<br />
postmortem of the incident and its response. This postmortem will<br />
identify the strengths and weakness of the response effort. Such reviews<br />
can identify weaknesses and holes in systems, infrastructure defenses,<br />
or policies that allowed the incident to take place. It can also<br />
identify problems with communication channels, interfaces, and<br />
procedures that inhibited the efficient resolution of the reported<br />
problem.<br />
<p>https://www.cisa.gov/uscert/bsi/articles/best-practices/incident-management/defining-computer-security-incident-response-teams</p><br />
<br />
===Managing internal communications and updates during or immediately after incidents occur===<br />
===Communicating with employees, shareholders, customers, and the press about incidents as needed===<br />
<p>There are various services within the CSIRT Services Framework that<br />
address communications, as they relate to security operations and<br />
incident response services. Some of these include Information Security<br />
Incident Coordination, Crisis Management Support, Vulnerability<br />
Disclosure, Situational Awareness Communication, and Awareness Building,<br />
to name a few. Sharing information and communicating with the general<br />
public and/or your constituency is appropriate in many different<br />
scenarios. These can range from proactive communications to reactive<br />
communications. Each scenario may be unique, and careful consideration<br />
should be given to when to release information to the public and what<br />
information should be released.</p><br />
<br />
<p>https://resources.sei.cmu.edu/asset_files/Handbook/2021_002_001_651819.pdf</p><br />
<br />
===Remediating incidents===<br />
Threat remediation is a strong and capable tool for fighting the<br />
cyber security compromises. As the word ‘remedy’ suggests, remediation<br />
process involves the treatment of a security breach. With the<br />
remediation practices, your cyber security team is able to eliminate<br />
suspicious activities and malicious attacks in the form of malware,<br />
ransomware, phishing and such. Even if you ‘kill’ the suspicious<br />
activity, the attackers can remain in your systems. If you want to<br />
contaminate and end the problem for good, your remediation processes<br />
must involve the detection of the cause. <ref name="logsign">Logsign, "What-is-remediation-in-cyber-security". Available: https://www.logsign.com/blog/what-is-remediation-in-cyber-security/. [Accessed 28 Apr 2022].</ref><br />
<br />
===Recommending technology, policy, governance, and training changes after security incidents===<br />
After all these actions, the SCIRT must contribute to the development<br />
of better policies, practices and has to recommend improvements. They<br />
are not working in the vacuum and their work has to create new and<br />
better standards for cyber security. <ref name="exabeam">Exabeam, "CSIRT". Available: https://www.exabeam.com/incident-response/csirt/ [Accessed 28 APr 2022].</ref><br />
<br />
==CERT==<br />
<p>The term “computer emergency response team” was coined in 1988. In<br />
response to the Morris worm attack that impacted thousands of servers on<br />
the Internet, DARPA funded the formation of the Computer Emergency<br />
Response Team Coordination Center (CERT-CC) at Carnegie Mellon<br />
University. The goal of CERT-CC was to help protect the internet by<br />
collecting and disseminating information on critical security<br />
vulnerabilities. Several other countries formed similar centers using<br />
the same acronym (despite threats of legal action by Carnegie Mellon for<br />
trademark infringement). Now the term CERT refers to any emergency<br />
response team that deals with cyber threats. Many people use CERT-CC<br />
interchangeably with CSIRT, though the charter of a CERT is information<br />
sharing in order to help other response teams respond to threats against<br />
their own infrastructure.</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<p>In general, the designation of CERT is helpful in applying real-world<br />
solutions to various cybersecurity problems. They may be government<br />
contractors or employees of a major corporation. For example, the U.S.<br />
Computer Emergency Readiness Team (US-CERT) operates under the U.S.<br />
Department of Homeland Security.</p><br />
<p>https://www.techopedia.com/definition/31003/computer-emergency-response-team-cert</p><br />
<p>In Estonia CERT is designated as CERT-EE. It was established in 2006,<br />
as an organization responsible for the management of security incidents<br />
in .ee computer networks. It is also a national contact point for<br />
international co-operation in the field of IT security.</p><br />
<p>https://www.ria.ee/en/cyber-security/cert-ee.html</p><br />
===Difference between SOC/CSIRT/CERT===<br />
<p>How CSIRTs differ from CERTs and SOCs There are overlapping<br />
responsibilities between a community emergency response team (CERT),<br />
computer security incident response team (CSIRT), and security<br />
operations center (SOC). To add to this confusion, frequently, the terms<br />
CERT and CSIRT are used interchangeably, despite the important<br />
differences.</p><br />
<figure><br />
<img src="images/image3.png" alt="Overlapping in images/image3.png" /><br />
<figcaption aria-hidden="true">Overlapping in<br />
images/image3.png</figcaption><br />
</figure><br />
==Understand the primary roles and characteristics of a CERT, CSIRT, and SOC.==<br />
<p>So, using strict definitions, a CERT collects and disseminates<br />
security information, typically for the benefit of a country or an<br />
industry. A CSIRT is a cross-functional team that responds to incidents<br />
on behalf of a country or an organization. A SOC is where a country or<br />
organization monitors and defends its network, servers, applications,<br />
and endpoints.</p><br />
<figure><br />
<img src="images/image4.png" alt="table of explanation images/image4" /><br />
<figcaption aria-hidden="true">table of explanation<br />
images/image4</figcaption><br />
</figure><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
==Future==<br />
<p>And the Cyber security problem is only getting bigger. According to a<br />
report published by Accenture, the number of cyber security breaches<br />
increased by 11 percent from 2017 to 2018. The cost of such breaches is<br />
astronomical–about $600 billion worldwide, according to the Economic<br />
Impact of Cybercrime report.</p><br />
<p>https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me</p><br />
<p>Job projections for cybersecurity are staggering. The Bureau of Labor<br />
Statistics in US predicts that careers in the cybersecurity field will<br />
grow by 32% by 2028. That makes cybersecurity one of the top 10<br />
fastest-growing jobs in the country. In the United States alone, jobs<br />
for Information Security Analysts are expected to grow by 15% by<br />
2024.</p><br />
<p>https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</p><br />
<p>Most likely this trend is also similar in other countries.</p><br />
<p>When checking Estonian job portals, there is a constant need for<br />
people for cyber security related positions. Also, linkedin search gives<br />
approximately 30 vacancies immediately. There are banks, logistics<br />
companies, e-shops, and software producers.</p><br />
<p>https://ee.linkedin.com/jobs/cyber-security-jobs?countryRedirected=1&amp;position=1&amp;pageNum=0</p><br />
<p>Trends that affect companies create need for constant cyber security<br />
services. Increasing number of home/remote offices require secure<br />
corporate networks and security of remote devices. One example is from<br />
this year, when sloppy remote desktop set-up paralyzed systems of 17<br />
companies.</p><br />
<p>https://www.aripaev.ee/uudised/2022/04/20/ria-lohakas-kaugtoolaua-seadistus-halvas-martsis-vahemalt-17-juhul-ettevotete-it-susteemid</p><br />
<p>Also, no service can exists without robust infrastructure - servers,<br />
databases, applications. As all previously mentioned devices and<br />
services are at constant scanning and surveillance. So, the breach<br />
detection and immediate action demands 24/7 services. Even if lot of<br />
things could be automated, there is a need for human specialists (at<br />
least, at the moment). Third growing field is also a forensic<br />
investigation, as every attack must be investigated in order to be ready<br />
to repel next attacks. So data recovery and evidence collection is<br />
another important field of work that need skilled and professional<br />
workers.</p><br />
<p>Even, if the specifics of the entity, be it CSIRT, CERT or SOC, are<br />
different, the fundamentals of the work are the same. Professional<br />
knowledge of the networks, operational systems, hardware, scripting, and<br />
several other wider IT related knowledge is needed. As there is no<br />
single way to reach to it, every single person can find one’s strongest<br />
sides and develop them with knowledge of weaker side, in order to know,<br />
when to as for help.</p><br />
<br />
</body><br />
</html></div>Mavaldhttps://wiki.itcollege.ee/index.php?title=Hiring_a_Cyber_Security_Incident_Analyst&diff=142211Hiring a Cyber Security Incident Analyst2022-05-01T15:35:47Z<p>Mavald: /* Education */</p>
<hr />
<div>==A Cyber Security Incident Analyst==<br />
<br />
[[File:image1.png|600px|thumb|Job advertisement <ref>"Job Advertisement". Available at https://www.projectpeople.com/jobs/</ref>]]<br />
===Cyber security incident analyst in SOC/CSIRT/CERT===<br />
This article delves into the job title of Cyber Security Incident<br />
Analyst and provides an overview of the acronyms SOC/CSIRT/CERT. A brief<br />
history of the job is discussed here, as well as a possible career path,<br />
education, experience, and other characteristics required for work in<br />
computer security-related organizations. The article also provides a<br />
brief history of SOC/CSIRT/CERT, as well as a comparison of their<br />
differences and similarities.<br />
===Cyber Security Incident Analyst Skill Set===<br />
What skill set is expected from the Cyber Security Incident Analyst? Below written lines are taken from the same job advertisement depicted<br />
on the left side of this article:<br />
As a Security Incident Analyst your responsibilities will include:<br />
<ul><br />
<li>Continuous monitoring of security tooling</li><br />
<li>Performing regular and ad-hoc vulnerability assessments</li><br />
<li>Carrying out ‘spot checks’</li><br />
<li>Reporting vulnerabilities to the PVG via the alerts system</li><br />
<li>Maintaining and documenting logging systems</li><br />
<li>Developing centralized logging, reporting and intelligence<br />
platforms</li><br />
<li>‘Light touch’ penetration testing with open source tooling<br />
(Metasploit)</li><br />
</ul><br />
Knowledge &amp; Experience required:<br />
<ul><br />
<li>SOC, CSIRT or CERT operational environment experience</li><br />
<li>Windows / Linux experience</li><br />
<li>TCP /IP networking protocol knowledge</li><br />
<li>Experience reviewing and analyzing Security Events from various<br />
monitoring and logging sources</li><br />
<li>Experience in website and web application security assessment or<br />
penetration testing</li><br />
<li>Experience of using Metasploit</li><br />
<li>Scripting knowledge using BASH, Python, Perl, Ruby</li><br />
<li>Skills in Host and Network Forensics</li><br />
</ul><br />
As one can see the description of the duties is wide and also the<br />
knowledge and experience that is required is noteworthy. So, where to<br />
start to find out the way to get this kind of knowledge and<br />
expertize.<br />
===Possible career path===<br />
Next part of the paper is aiming to depict a possible ways, how to<br />
develop oneself, and move along the career pathway in cybersecurity<br />
field. Topics of development, education, experience and certification<br />
are covered.<br />
[[File:analystimage2.png|1000px|thumb|Career path <ref>"Possible Career Path". Available at https://www.cyberseek.org/pathway.html</ref>]]<br />
<br />
===Junior/Senior===<br />
Start with an entry-level job in IT. Hands-on experience is often the<br />
most effective way to prepare for certification exams. Start<br />
accumulating work experience with an entry-level role as a cybersecurity<br />
analyst. Many cybersecurity professionals start off in more general IT<br />
roles. The skills, practices, and technologies you’ll use as a<br />
cybersecurity professional will continue to evolve along with computer<br />
and network technology. The desire to learn, ability to problem solve,<br />
and attention to detail will serve you well in this field. Other, more<br />
technical skills and technologies to learn include:<ref name="certification">Popular Cyber Security Certificates [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications [Accessed 25 April 2022].</ref><br />
<br />
====SIEM tools (security information and event management)====<br />
Security Information and Event Management (SIEM) is a set of tools<br />
and services offering a holistic view of an organization’s information<br />
security. SIEM works by combining two technologies:<br />
<li>Security information management (SIM), which collects data from log<br />
files for analysis and reports on security threats and events, and</li><br />
<li>security event management (SEM), which conducts real-time system<br />
monitoring, notifies network admins about important issues and<br />
establishes correlations between security events. There are a number of<br />
security information and event management solutions on the market.<br />
ArcSight ESM, IBM QRadar and Splunk are among the most popular. <ref name="SIEM">Application security, SIEM [Online]. Available: https://www.imperva.com/learn/application-security/siem/. [Accessed 27 4 2022].</ref></li><br />
<br />
====Firewalls, Intrusion Detection Systems (IDS), and Intrusion Prevention Systems(IPS)====<br />
Firewalls can be two types, hardware and software firewalls. Software<br />
firewall is a firewall that is installed on a computer or server, and<br />
tasked with network security. It works with a wide variety of other<br />
technology security solutions to provide more robust and cohesive<br />
security for enterprises of all sizes. When a software firewall is<br />
installed on a server, it opens up like an umbrella of protection over<br />
all other computers connected to the network. It is able to monitor both<br />
incoming and outgoing traffic for potential risk or suspicious user<br />
behavior, and also makes setting security policies much easier, faster<br />
and more flexible. Hardware firewall is positioned between the network<br />
and devices, allowing traffic to funnel through the firewall for a close<br />
inspection and analysis. A hardware firewall, a term often<br />
interchangeable with network or next-generation firewall, protects the<br />
network gateways for an enterprise. Hardware firewall is physical<br />
hardware, installed between network elements and connected devices, and<br />
is tasked with filtering traffic for cyber threat to the network or<br />
devices. Filtering out unauthorized or suspicious users based on traffic<br />
analysis is one of the biggest benefits of hardware firewall. <ref name="sangfor">Sangfor, "What is Software Firewall? Difference between Hardware Firewall and Software Firewall, [Online]. Available: https://www.sangfor.com/blog/cybersecurity/what-is-software-firewall-difference-between-hardware-firewall-and-software-firewall [Accessed 26 4 2022].</ref><br />
<br />
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems<br />
(IPS) are both parts of the network infrastructure. IDS/IPS compare<br />
network packets to a cyberthreat database containing known signatures of<br />
cyberattacks — and flag any matching packets. IDS doesn’t alter the<br />
network packets in any way, whereas IPS prevents the packet from<br />
delivery based on the contents of the packet, much like how a firewall<br />
prevents traffic by IP address. <ref name="Varonis">Varonis, "What is Software Firewall? IDS vs. IPS: What is the Difference?, [Online]. Available: https://www.varonis.com/blog/ids-vs-ips [Accessed 26 4 2022].</ref><br />
<br />
====Digital forensics====<br />
Digital forensics is a branch of forensic science that focuses on<br />
identifying, acquiring, processing, analyzing, and reporting on data<br />
stored electronically. Electronic evidence is a component of almost all<br />
criminal activities and digital forensics support is crucial for law<br />
enforcement investigations. Electronic evidence can be collected from a<br />
wide array of sources, such as computers, smartphones, remote storage,<br />
unmanned aerial systems, shipborne equipment, and more.<ref name="interpol">Interpol, "Digital forensics". Available: https://www.interpol.int/How-we-work/Innovation/Digital-forensics. [Accessed 28 4 2022].</ref> <br />
Investigative process of digital forensics can be divided into several stages. There are four major stages: preservation, collection,<br />
examination, and analysis. All these four stages need a deep understanding of computers, technology across a broad spectrum, and cybersecurity principles and<br />
practices, a working knowledge of computers, networks, and coding, in-depth investigative abilities, critical-thinking skills and analytical talent the ability to effectively communicate and work with a<br />
wide range of people. <ref name="ecpi">"Digital forensics". Available: https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me. [Accessed 26 4 2022].</ref><br />
<br />
====Mobile device management====<br />
Mobile device management (MDM) is software that allows IT<br />
administrators to control, secure and enforce policies on smartphones,<br />
tablets and other endpoints. Mobile device management software emerged<br />
in the early 2000s as a way to control and secure the personal digital<br />
assistants and smartphones that business workers began to use. The<br />
consumer smartphone boom that started with the launch of the Apple<br />
iPhone in 2007 led to the bring your own device (BYOD) trend, which<br />
fueled further interest in MDM.<ref name="techtarget">Techtarget, "Mobile Device Management". Available: https://www.techtarget.com/searchmobilecomputing/definition/mobile-device-management [Accessed 27 4 2022].</ref><br />
<br />
====Data management====<br />
Sometimes the data management is neglected, but this part has a<br />
crucial role when learning for good cyber security practices. Majority<br />
of cyber security programs include a special courses on data management.<br />
Data management is a method of organizing and maintaining data processes<br />
that are required in almost every business operations. The benefits of<br />
data management can be found accounting, statistics, logistics planning<br />
and other disciplines including corporate computing.<ref name="GlobalUni">Global Universities, "MSc Data Management and Cyber Security". Available: https://globaluniversities.in/msc-data-management-cyber-security. [Accessed 26 Apr 2022].</ref><br />
Data governance (and management) play a fundamental role in<br />
protecting an organization’s data. Ensuring that the right people have<br />
the right access and that appropriate security controls are in place to<br />
protect each system or service, based on the criticality or sensitivity<br />
of the data sets these contain. <ref name="CyberMagazine">Cyber Security Magazine, "The Role of Data Governance in Cybersecurity". Available: https://cybersecurity-magazine.com/the-role-of-data-governance-in-cybersecurity/?utm_source=rss&amp;utm_medium=rss&amp;utm_campaign=the-role-of-data-governance-in-cybersecurity. [Accessed 26 Apr 2022].</ref><br />
<br />
====Application security development====<br />
Application security describes security measures at the application<br />
level that aim to prevent data or code within the app from being stolen<br />
or hijacked. It encompasses the security considerations that happen<br />
during application development and design, but it also involves systems<br />
and approaches to protect apps after they get deployed. Application<br />
security may include hardware, software, and procedures that identify or<br />
minimize security vulnerabilities.<ref name="vmware">VmWare, "What is application security?". Available: https://www.vmware.com/topics/glossary/content/application-security.html [Accessed 28 April 2022].</ref><br />
Application security development is important to ensure that your<br />
application is free from coding errors and bugs. And controls the risk<br />
and helps safeguard against security vulnerabilities. Application<br />
security development is the process of making applications more secure<br />
by finding and fixing security vulnerabilities. This is often done by<br />
enforcing software security best practices and using application<br />
security testing tools. <br />
<ref name="perforce">Perforce, "Application Security Development Best Practices". Available: https://www.perforce.com/blog/kw/application-security-development-best-practices. [Accessed 28 April 2022].</ref><br />
<br />
====Audit and compliance knowledge====<br />
A cyber security audit is designed to be a comprehensive review and<br />
analysis of your business’s IT infrastructure. It identifies threats and<br />
vulnerabilities, exposing weaknesses and high-risk practices.<br />
Regulations such as the EU GDPR (General Data Protection Regulation) can<br />
impose hefty penalties in the event of a breach that results in<br />
exploited data. A cyber security audit will help mitigate the<br />
consequences of a breach and demonstrate that your organization has<br />
taken the necessary steps to protect client and company data. <ref name="cyforsecure">Cyfor Secure, "What is a Cyber Security Audit and how can it help your organisation?". Available: https://cyforsecure.co.uk/services/cyber-assessment/cyber-security-audit/. [Accessed 28 April 2022].</ref><br />
<br />
Cybersecurity compliance is the organizational risk management method<br />
aligned with pre-defined security measures &amp; controls on how data<br />
confidentiality is ensured by its administrative procedures.<ref name="nordlayer">NordLayer, "Cybersecurity compliance: Everything you need to know". Available: https://nordlayer.com/blog/cybersecurity-compliance-everything-you-need-to-know/. [Accessed 28 April 2022].</ref><br />
All needed skills are developed through courses and certification.<br />
<br />
===Entry-Level Incident Response Positions===<br />
It is not always possible to advance to the position of incident<br />
responder in a straight line. Many professionals advance from entry- to<br />
mid-level positions before becoming a real incident responder or a<br />
member of a computer emergency response team (CERT).<br /><br />
These are some examples: <ref name="Infosec">Infosec, "Incident Responder Career Roadmap: From Entry Level to Executive". Available: https://resources.infosecinstitute.com/topic/incident-responder-career-roadmap-entry-level-executive/ [Accessed 28 April 2022].</ref></p><br />
<ul><br />
<li><h5 id="network-administrator">Network administrator</h5><br />
<p>This position’s experience will help potential incident responders<br />
develop networking skills. Attention to detail, as well as the ability<br />
to sift through system configurations, site layouts, and general network<br />
and communication setups, are essential in this field.</p></li><br />
<li><h5 id="system-administrator">System administrator</h5><br />
<p>Another crucial beginning point for an incident responder is to learn<br />
how to manage resources inside your organization as well as user<br />
behavior. Understanding the potential damage that users, inadequate<br />
security setups, and ineffective IT policies and procedures can cause on<br />
your network can provide prospective candidates with insight into the<br />
human component of an incident.</p></li><br />
<li><h5 id="security-administrator">Security administrator</h5><br />
<p>In such a position, basic hacking skills, penetration testing, and<br />
intrusion detection are all learned, which are crucial incident<br />
responder skills when trying to replicate a breach or attack.<br />
Understanding the paths a cybercriminal will take when attempting to<br />
damage or obtain access to a system can greatly simplify the work of<br />
reverse engineering the incident.</p></li><br />
</ul><br />
<br />
=== Mid-Level Incident Response Positions ===<br />
<ul><br />
<li><h5<br />
id="computer-security-incident-response-team-csirt-engineer">Computer<br />
security incident response team (CSIRT) engineer</h5></li><br />
<li><h5 id="cyber-incident-responder">Cyber incident responder</h5></li><br />
<li><h5 id="incident-response-engineer">Incident response<br />
engineer</h5></li><br />
</ul><br />
<p>While each of these positions is different, they generally require<br />
very similar skills and characteristics in a candidate. At this level,<br />
personal characteristics such as problem solving, time management, and<br />
even presentation skills become more crucial as one’s career evolves<br />
into a management-facing role.</p><br />
<p>Technical skills include the ability to identify and minimize threats<br />
while maintaining communication with management and the rest of your<br />
team. Data analysis and evidence gathering become increasingly crucial,<br />
and the circumstances in which your services are deployed get more<br />
serious.</p><br />
Problem-solving skills are crucial at this level of incident<br />
response, and as the stakes rise, so does the pressure in each<br />
situation. At this level, programming abilities are essential since<br />
incident responders may be needed to reverse engineer malicious code or<br />
even create patches for vulnerable network applications or services. <ref name="coursera">Coursera, "10 Popular Cybersecurity Certifications [2022 Updated]". Available: https://www.coursera.org/articles/popular-cybersecurity-certifications [Accessed 28 April 2022].</ref><br />
<br />
===Senior-Level Incident Response Positions===<br />
<ul><br />
<li><h5 id="intrusion-detection-specialist">Intrusion detection<br />
specialist:</h5></li><br />
</ul><br />
<p>A CISSP certification might help a potential candidate in preparing<br />
for the profession. The role of an intrusion detection specialist is to<br />
find and stop any unwanted communications.</p><br />
<ul><br />
<li><h5 id="incident-manager">Incident manager:</h5></li><br />
</ul><br />
Expected to plan, oversee, manage, and supervise all incident<br />
response team actions. Is in charge of reporting all current events to<br />
senior management and stakeholders, as well as acting as the technical<br />
lead on active incidents for incident responders. Prepares threat and<br />
impact assessments and reports them known to management.<ref name="coursera"></ref><br />
<br />
==Certificates== <br />
There is a vast number of different certificates and the road map to<br />
being a certified professional could be very different<ref name="Coursera">Coursera, "10 Popular Cybersecurity Certifications [2022 Updated]," [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications. [Accessed 30 Apr 2022].</ref><br />
<ref name="NICCS">NICCS, "Cybersecurity Certifications," [Online]. Available: hhttps://niccs.cisa.gov/about-niccs/cybersecurity-certifications. [Accessed 30 Apr 2022].</ref> . One possible<br />
approach is to start with basic certificates from the different branches<br />
of service and move to more specific and demanding focused<br />
certification. Also, some jobs require certain clearances, either from<br />
industry, or from the government. One small selection of different<br />
possible certificates is brought out in following paragraphs.<br />
<br />
Security+ is a CompTIA certification that is considered a basic cert<br />
among cybersecurity professionals. It covers the topics of risk<br />
management and threat assessment.<br />
Network+ is also offered by CompTIA this certification (like the name<br />
implies) focuses on networking infrastructure and operations. It is<br />
considered a foundational certification.<br />
The Certified Information Systems Security Professional (CISSP) is a<br />
more advanced certification designed for cybersecurity professionals<br />
with at least five years of work experience. The certification covers<br />
topics such as architecture, engineering, and management.</p><br />
The Certified Ethical Hacker (CEH) certification is also considered a<br />
more advanced cert because it generally requires that applicants have<br />
multiple years of work experience. The goal of an ethical hacker<br />
certification is to be able to understand how cyber attacks unfold in<br />
order to improve threat assessment and mitigation skills.<ref name="cyberguide">Cybersecurity Guide, "How to become a cybersecurity specialist", [Online]. Available: https://cybersecurityguide.org/careers/security-specialist/. [Accessed 27 April 2022].</ref><br />
This is definitely not all, when one looks for more information, following link could be searched, to get more in depth knowledge about<br />
different possibilities. Hereby, with the help of this matrix a possible taxonomy of different 436 listed certificates in branches are<br />
presented.<ref name="Pauljeremy">"Cybersecurity Roadmap," [Online]. Available: https://pauljerimy.com/2020/10/12/scr-oct-2020-update/. [Accessed 30 Apr 2022].</ref><br />
<br />
[[File:analystimage5.png|1000px|thumb|Certificate matrix <ref>"Certification roadmap". Available at https://pauljerimy.com/security-certification-roadmap</ref>]]<br />
<br />
=== Communication and Network Security===<br />
Communication and network security covers the ability to secure<br />
communication channels and networks. Topics include secure and converges<br />
protocols, wireless networks, cellular networks, hardware operations<br />
(warranty and redundant power), and third-party connectivity. IP<br />
networking are also included in this domain.<br />
===Identity and Access Management===<br />
The identity and access management domain covers the attacks that<br />
target the human gateway to gain access to data. Other topics include<br />
ways to identify users with rights to access the information and<br />
servers. Identity and access management covers the topics of<br />
applications, Single sign-on authentication, privilege escalation,<br />
Kerberos, rule-based or risk-based access control, proofing and<br />
establishment of identity.<br />
===Security Architecture and Engineering===<br />
The security architecture and engineering domain covers important<br />
topics concerning security engineering plans, designs and principles,<br />
Topics include assessing and mitigating information system<br />
vulnerabilities, fundamental concepts of security models and security<br />
architectures in critical areas like access control. Cloud systems,<br />
cryptography, system infiltrations (ransomware, fault-injection and<br />
more) and virtualized systems are also covered in this domain.<br />
===Asset Security===<br />
The Asset Security domain deals with the issues related to the<br />
collection, storage, maintenance, retention and destruction of data. It<br />
also covers knowledge of different roles regarding data handling (owner,<br />
controller and custodian) as well as data protection methods and data<br />
states. Other topics include resource provision, asset classification<br />
and data lifecycle management.<br />
===Security and Risk Management===<br />
The security and risk management domain covers general on skills<br />
related to the implementation of user awareness programs as well as<br />
security procedures. Emphasis is also placed on risk management<br />
concerning the acquisition of new services, hardware and software<br />
(supply chain). Other skills include social engineering defense<br />
mechanisms.<br />
===Security Assessment and Testing===<br />
The security assessment and testing domain deals with all the<br />
techniques and tools used to find system vulnerabilities, weaknesses and<br />
potential areas of concern not addressed by security procedures and<br />
policies. Attack simulations, vulnerability assessment, compliance<br />
checks, and ethical disclosure also fall under this domain.<br />
===Software Security===<br />
The software development security domain deals with implementing<br />
software-based security protocols within environment for which the IT<br />
professional is responsible. Risk analysis, vulnerability identification<br />
and auditing of source codes are all covered in this subset. Additional<br />
topics include software-designed security, maturity models, development<br />
methodologies, open-source and third-party development security.<br />
===Security operations===<br />
The security operations domain covers topics ranging from<br />
investigations and digital forensic to detection and intrusion<br />
prevention tools, sandboxing and firewalls. Topics include user and<br />
entity behavior analytics, threat intelligence (threat hunting and<br />
threat feeds) log management, artifacts (mobile, computer and network),<br />
machine learning and AI-based tools, penetration testing, and<br />
exploitation development. These for sub-domains are lister here.</p><br />
<li>Forensics</li><br />
<li>Incident Handling</li><br />
<li>Penetration Testing</li><br />
<li>Exploitation</li><br />
<br />
==Education==<br />
The entry level monitoring specialist is hired by Estonian<br />
Information System Authority even if there is no formal IT education,<br />
but readiness to learn and moderate knowledge of different operation<br />
systems is enough to start the career. <ref name="cv">cv.ee, "SEIRESPETSIALIST - tule Eesti küberruumi valvuriks!". Available: https://www.cv.ee/en/vacancy/792782/riigi-infosusteemi-amet/seirespetsialist-tule-eesti-kuberruumi-valvuriks [Accessed 28 April 2022].</ref><br />
[[File:Analystimage7.png|500px|thumb|Comparison degree vs Certificate <ref>"Comparison Table". Available at https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</ref>]]<br />
Nevertheless, like most other high qualification careers jobs falling<br />
under the cybersecurity specialist category require some form of formal<br />
education. However, since cybersecurity specialist jobs can fall across<br />
a wide spectrum of job descriptions and responsibilities, it is possible<br />
to obtain a specialist job after completing many levels of different<br />
computer related education.<br />
If one is looking for a cybersecurity related education, for example<br />
in EU, 137 courses/programs could be found that relate to keyword IT or<br />
cybersecurity. <ref name="enisa">ENISA (European Union Agency for Cybersecurity), "Cybersecurity Education-Cybersecurity Higher Education Database". Available: https://www.enisa.europa.eu/topics/cybersecurity-education/education-map/education-courses [Accessed 26 April 2022].</ref><br />
Also, there is a great amount of discussion, if cyber security<br />
professional should have a degree or would be certification just enough.<br />
One interesting table is produces by Franklin University that compares<br />
benefits and/or drawbacks of each type of credential.<br />
<ref name="franklin">Franklin University, "Is Getting a Master's Degree in Cyber Security Worth It?". Available: https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it [Accessed 28 April 2022].</ref><br />
Certifications are generally good for people with little practical<br />
experience because they are known quantities in the industry and can<br />
help you get your foot in the door. They set a minimum knowledge bar.<br />
But some certifications are viewed more favorably than others.<br />
Certifications with renewal requirements are viewed better by hiring<br />
managers, but they also more costly in the long run because of the need<br />
for continuing education. Certifications are also good for showing<br />
in-depth expertise in a specialization within cybersecurity. Depending<br />
on your career goals, it may be advantageous to have a master’s<br />
degree—which shows your breadth of knowledge, critical thinking and<br />
leadership skills—and a certificate—which shows specific skill<br />
competency.<ref name="franklin"></ref><br />
As IT (Cyber) Security is still a relatively young discipline,<br />
universities and colleges are still figuring out which is the best<br />
approach for their degrees. Study programmes and curricula in Cyber<br />
Security are different. In general, here are the duration of Cyber<br />
Security degrees:<br />
<ref name="studyportal">Studyportals, "Why You Should Study a Cyber Security Degree in 2022". Available: https://www.mastersportal.com/articles/2722/why-you-should-study-a-cyber-security-degree-in-2022.html [Accessed 28 April 2022].</ref><br />
<ul><br />
<li><p>Bachelor’s degrees in Cyber Security take 3 or 4 years in most<br />
countries.</p></li><br />
<li><p>Master’s courses in Cyber Security take between 1-2 years to<br />
complete.</p></li><br />
<li><p>PhD programmes in Cyber Security last 3-5 years. Some only take 1<br />
or 2 years, but they are less common.</p><br />
</li><br />
</ul><br />
<br />
Generalization could me made that on bachelor level the general<br />
knowledge about the cyber issues are obtained. On master level the<br />
specialization courses are taken and the person can choose more specific<br />
topics to study. It is on master level where strengths of the cyber<br />
specialist can be developed further and up-do date knowledge obtained in<br />
specifics. PhD is serious science and involves teaching, lot of<br />
scientific work and writing for publications.<br />
<br />
==Salary==<br />
<p>Even if the salary can be very different, compared to the skills and<br />
experience, an generalization can be made. Cyber Security professionals<br />
in CSIRT, and in other entities earn quite well, from the start. First,<br />
some comparison from the United States. The average CSIRT analyst salary<br />
in the USA is $97,500 per year or $50 per hour. Entry level positions<br />
start at $48,875 per year while most experienced workers make up to<br />
$135,373 per year.</p><br />
<p>https://www.talent.com/salary?job=csirt+analyst</p><br />
<p>There are multiple positions you can occupy in this field. They have<br />
in common great salaries and high demand for technical skills, attention<br />
to details, problem-solving mentality, and the ability to analyze risks.<br />
Here are the average annual salaries in the United States, according to<br />
Payscale:</p><br />
<p>https://www.payscale.com/</p><br />
<ul><br />
<li><p>Cryptographer – 100,000 USD</p></li><br />
<li><p>Information Security Officer – 91,000 USD</p></li><br />
<li><p>Security Assessor – 90,000 USD</p></li><br />
<li><p>Security Engineer – 88,000 USD</p></li><br />
<li><p>Penetration Tester – 81,000 USD</p></li><br />
<li><p>Forensics Expert – 71,000 USD</p></li><br />
<li><p>Security Administrator – 65,000 USD</p><br />
<p>https://www.mastersportal.com/articles/2722/why-you-should-study-a-cyber-security-degree-in-2022.html</p><br />
<p>When looking into salaries in Estonia, one can find that there is a<br />
discussion that private sector is taking a toll from the public sector,<br />
and that the salaries in important agencies, as Information System<br />
Authority loose their employees to the better paid positions in private<br />
sector.</p><br />
<p>https://digi.geenius.ee/rubriik/uudis/kui-palju-riigi-jaoks-olulised-it-tootajad-tegelikult-palka-saavad/<br />
https://tehnika.postimees.ee/6887428/riigi-it-tootajate-palgamaarad-kasvasid</p><br />
<p>But there is also a different view that average private sector worker<br />
could be hired as a top specialist in public sector and then the payment<br />
is higher. Nevertheless, it seems that the average payment in cyber<br />
security sector is any way higher that in other parts of the<br />
e-services.</p><br />
<p>https://digi.geenius.ee/rubriik/uudis/5000-eurostest-palkadest-it-tootajad-saavadki-palju-palka/</p></li><br />
</ul><br />
==SOC==<br />
<p>A SOC is a facility where an organization’s network, applications,<br />
and endpoints are monitored and defended. The term was adapted from<br />
network operations centers (NOCs), where large telecommunication or<br />
corporate networks are monitored. When network security became more of a<br />
concern, security teams were formed within the NOCs, and eventually spun<br />
off into larger organizations of their own as the responsibilities of<br />
security teams grew increasingly complex and specialized. The security<br />
staff working in a security operations center are often called the SOC<br />
team.</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<p>Functions of the SOC team include, but are not limited to:</p><br />
<ol type="1"><br />
<li>Taking inventory of resources, to get a better understanding of the<br />
structure they are protecting.</li><br />
<li>Maintanence of the system, by constantly making updates and adding<br />
safeguards.</li><br />
<li>Monitoring the network for abnormalities with special tools.</li><br />
<li>Threat analysis of new attacks and vulnerabilities.</li><br />
<li>Responding to attacks, by acting as “first responders”. The SOC team<br />
will shut down and/or isolate endpoints, deleting files and lowering the<br />
impact as fast as possible.</li><br />
<li>Recovery of system stability and lost data. This may be done using<br />
backups, restarting endpoints or reconfiguring systems.</li><br />
<li>Logging all actions on the system, to be later used for analysis or<br />
forensics after an attack.</li><br />
<li>Investigating the root cause of an attack.</li><br />
<li>Auditing their own actions, to be in line with regulations of the<br />
organization, industry or governing body.</li><br />
</ol><br />
<p>https://www.trellix.com/en-us/security-awareness/operations/what-is-soc.html</p><br />
==CSIRT==<br />
<p>A CSIRT is a group that responds to security incidents when they<br />
occur. Key responsibilities of a CSIRT include: <br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<ul><br />
===Creating and maintaining an incident response plan (IRP)===<br />
An incident response plan (IRP) is a set of written instructions for<br />
detecting, responding to and limiting the effects of an information<br />
security event. Incident response plans provide instructions for<br />
responding to many potential scenarios, including data breaches, denial<br />
of service/distributed denial of service attacks, firewall breaches,<br />
virus or malware outbreaks or insider threats. Without an incident<br />
response plan in place, organizations may either not detect the attack<br />
in the first place, or not follow proper protocol to contain the threat<br />
and recover from it when a breach is detected.<br />
<p>https://www.stratacore.com/incidentresponseplan</p></li><br />
===Investigating and analyzing incidents===<br />
CSIRTs are also involved in improvement activities. After major<br />
computer security incidents occur, or when incidents are not handled in<br />
a timely or effective manner, a CSIRT will generally perform a<br />
postmortem of the incident and its response. This postmortem will<br />
identify the strengths and weakness of the response effort. Such reviews<br />
can identify weaknesses and holes in systems, infrastructure defenses,<br />
or policies that allowed the incident to take place. It can also<br />
identify problems with communication channels, interfaces, and<br />
procedures that inhibited the efficient resolution of the reported<br />
problem.<br />
<p>https://www.cisa.gov/uscert/bsi/articles/best-practices/incident-management/defining-computer-security-incident-response-teams</p><br />
<br />
===Managing internal communications and updates during or immediately after incidents occur===<br />
===Communicating with employees, shareholders, customers, and the press about incidents as needed===<br />
<p>There are various services within the CSIRT Services Framework that<br />
address communications, as they relate to security operations and<br />
incident response services. Some of these include Information Security<br />
Incident Coordination, Crisis Management Support, Vulnerability<br />
Disclosure, Situational Awareness Communication, and Awareness Building,<br />
to name a few. Sharing information and communicating with the general<br />
public and/or your constituency is appropriate in many different<br />
scenarios. These can range from proactive communications to reactive<br />
communications. Each scenario may be unique, and careful consideration<br />
should be given to when to release information to the public and what<br />
information should be released.</p><br />
<br />
<p>https://resources.sei.cmu.edu/asset_files/Handbook/2021_002_001_651819.pdf</p><br />
<br />
===Remediating incidents===<br />
Threat remediation is a strong and capable tool for fighting the<br />
cyber security compromises. As the word ‘remedy’ suggests, remediation<br />
process involves the treatment of a security breach. With the<br />
remediation practices, your cyber security team is able to eliminate<br />
suspicious activities and malicious attacks in the form of malware,<br />
ransomware, phishing and such. Even if you ‘kill’ the suspicious<br />
activity, the attackers can remain in your systems. If you want to<br />
contaminate and end the problem for good, your remediation processes<br />
must involve the detection of the cause. <ref name="logsign">Logsign, "What-is-remediation-in-cyber-security". Available: https://www.logsign.com/blog/what-is-remediation-in-cyber-security/. [Accessed 28 Apr 2022].</ref><br />
<br />
===Recommending technology, policy, governance, and training changes after security incidents===<br />
After all these actions, the SCIRT must contribute to the development<br />
of better policies, practices and has to recommend improvements. They<br />
are not working in the vacuum and their work has to create new and<br />
better standards for cyber security. <ref name="exabeam">Exabeam, "CSIRT". Available: https://www.exabeam.com/incident-response/csirt/ [Accessed 28 APr 2022].</ref><br />
<br />
==CERT==<br />
<p>The term “computer emergency response team” was coined in 1988. In<br />
response to the Morris worm attack that impacted thousands of servers on<br />
the Internet, DARPA funded the formation of the Computer Emergency<br />
Response Team Coordination Center (CERT-CC) at Carnegie Mellon<br />
University. The goal of CERT-CC was to help protect the internet by<br />
collecting and disseminating information on critical security<br />
vulnerabilities. Several other countries formed similar centers using<br />
the same acronym (despite threats of legal action by Carnegie Mellon for<br />
trademark infringement). Now the term CERT refers to any emergency<br />
response team that deals with cyber threats. Many people use CERT-CC<br />
interchangeably with CSIRT, though the charter of a CERT is information<br />
sharing in order to help other response teams respond to threats against<br />
their own infrastructure.</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<p>In general, the designation of CERT is helpful in applying real-world<br />
solutions to various cybersecurity problems. They may be government<br />
contractors or employees of a major corporation. For example, the U.S.<br />
Computer Emergency Readiness Team (US-CERT) operates under the U.S.<br />
Department of Homeland Security.</p><br />
<p>https://www.techopedia.com/definition/31003/computer-emergency-response-team-cert</p><br />
<p>In Estonia CERT is designated as CERT-EE. It was established in 2006,<br />
as an organization responsible for the management of security incidents<br />
in .ee computer networks. It is also a national contact point for<br />
international co-operation in the field of IT security.</p><br />
<p>https://www.ria.ee/en/cyber-security/cert-ee.html</p><br />
===Difference between SOC/CSIRT/CERT===<br />
<p>How CSIRTs differ from CERTs and SOCs There are overlapping<br />
responsibilities between a community emergency response team (CERT),<br />
computer security incident response team (CSIRT), and security<br />
operations center (SOC). To add to this confusion, frequently, the terms<br />
CERT and CSIRT are used interchangeably, despite the important<br />
differences.</p><br />
<figure><br />
<img src="images/image3.png" alt="Overlapping in images/image3.png" /><br />
<figcaption aria-hidden="true">Overlapping in<br />
images/image3.png</figcaption><br />
</figure><br />
==Understand the primary roles and characteristics of a CERT, CSIRT, and SOC.==<br />
<p>So, using strict definitions, a CERT collects and disseminates<br />
security information, typically for the benefit of a country or an<br />
industry. A CSIRT is a cross-functional team that responds to incidents<br />
on behalf of a country or an organization. A SOC is where a country or<br />
organization monitors and defends its network, servers, applications,<br />
and endpoints.</p><br />
<figure><br />
<img src="images/image4.png" alt="table of explanation images/image4" /><br />
<figcaption aria-hidden="true">table of explanation<br />
images/image4</figcaption><br />
</figure><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
==Future==<br />
<p>And the Cyber security problem is only getting bigger. According to a<br />
report published by Accenture, the number of cyber security breaches<br />
increased by 11 percent from 2017 to 2018. The cost of such breaches is<br />
astronomical–about $600 billion worldwide, according to the Economic<br />
Impact of Cybercrime report.</p><br />
<p>https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me</p><br />
<p>Job projections for cybersecurity are staggering. The Bureau of Labor<br />
Statistics in US predicts that careers in the cybersecurity field will<br />
grow by 32% by 2028. That makes cybersecurity one of the top 10<br />
fastest-growing jobs in the country. In the United States alone, jobs<br />
for Information Security Analysts are expected to grow by 15% by<br />
2024.</p><br />
<p>https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</p><br />
<p>Most likely this trend is also similar in other countries.</p><br />
<p>When checking Estonian job portals, there is a constant need for<br />
people for cyber security related positions. Also, linkedin search gives<br />
approximately 30 vacancies immediately. There are banks, logistics<br />
companies, e-shops, and software producers.</p><br />
<p>https://ee.linkedin.com/jobs/cyber-security-jobs?countryRedirected=1&amp;position=1&amp;pageNum=0</p><br />
<p>Trends that affect companies create need for constant cyber security<br />
services. Increasing number of home/remote offices require secure<br />
corporate networks and security of remote devices. One example is from<br />
this year, when sloppy remote desktop set-up paralyzed systems of 17<br />
companies.</p><br />
<p>https://www.aripaev.ee/uudised/2022/04/20/ria-lohakas-kaugtoolaua-seadistus-halvas-martsis-vahemalt-17-juhul-ettevotete-it-susteemid</p><br />
<p>Also, no service can exists without robust infrastructure - servers,<br />
databases, applications. As all previously mentioned devices and<br />
services are at constant scanning and surveillance. So, the breach<br />
detection and immediate action demands 24/7 services. Even if lot of<br />
things could be automated, there is a need for human specialists (at<br />
least, at the moment). Third growing field is also a forensic<br />
investigation, as every attack must be investigated in order to be ready<br />
to repel next attacks. So data recovery and evidence collection is<br />
another important field of work that need skilled and professional<br />
workers.</p><br />
<p>Even, if the specifics of the entity, be it CSIRT, CERT or SOC, are<br />
different, the fundamentals of the work are the same. Professional<br />
knowledge of the networks, operational systems, hardware, scripting, and<br />
several other wider IT related knowledge is needed. As there is no<br />
single way to reach to it, every single person can find one’s strongest<br />
sides and develop them with knowledge of weaker side, in order to know,<br />
when to as for help.</p><br />
<br />
</body><br />
</html></div>Mavaldhttps://wiki.itcollege.ee/index.php?title=Hiring_a_Cyber_Security_Incident_Analyst&diff=142210Hiring a Cyber Security Incident Analyst2022-05-01T15:34:46Z<p>Mavald: /* Education */</p>
<hr />
<div>==A Cyber Security Incident Analyst==<br />
<br />
[[File:image1.png|600px|thumb|Job advertisement <ref>"Job Advertisement". Available at https://www.projectpeople.com/jobs/</ref>]]<br />
===Cyber security incident analyst in SOC/CSIRT/CERT===<br />
This article delves into the job title of Cyber Security Incident<br />
Analyst and provides an overview of the acronyms SOC/CSIRT/CERT. A brief<br />
history of the job is discussed here, as well as a possible career path,<br />
education, experience, and other characteristics required for work in<br />
computer security-related organizations. The article also provides a<br />
brief history of SOC/CSIRT/CERT, as well as a comparison of their<br />
differences and similarities.<br />
===Cyber Security Incident Analyst Skill Set===<br />
What skill set is expected from the Cyber Security Incident Analyst? Below written lines are taken from the same job advertisement depicted<br />
on the left side of this article:<br />
As a Security Incident Analyst your responsibilities will include:<br />
<ul><br />
<li>Continuous monitoring of security tooling</li><br />
<li>Performing regular and ad-hoc vulnerability assessments</li><br />
<li>Carrying out ‘spot checks’</li><br />
<li>Reporting vulnerabilities to the PVG via the alerts system</li><br />
<li>Maintaining and documenting logging systems</li><br />
<li>Developing centralized logging, reporting and intelligence<br />
platforms</li><br />
<li>‘Light touch’ penetration testing with open source tooling<br />
(Metasploit)</li><br />
</ul><br />
Knowledge &amp; Experience required:<br />
<ul><br />
<li>SOC, CSIRT or CERT operational environment experience</li><br />
<li>Windows / Linux experience</li><br />
<li>TCP /IP networking protocol knowledge</li><br />
<li>Experience reviewing and analyzing Security Events from various<br />
monitoring and logging sources</li><br />
<li>Experience in website and web application security assessment or<br />
penetration testing</li><br />
<li>Experience of using Metasploit</li><br />
<li>Scripting knowledge using BASH, Python, Perl, Ruby</li><br />
<li>Skills in Host and Network Forensics</li><br />
</ul><br />
As one can see the description of the duties is wide and also the<br />
knowledge and experience that is required is noteworthy. So, where to<br />
start to find out the way to get this kind of knowledge and<br />
expertize.<br />
===Possible career path===<br />
Next part of the paper is aiming to depict a possible ways, how to<br />
develop oneself, and move along the career pathway in cybersecurity<br />
field. Topics of development, education, experience and certification<br />
are covered.<br />
[[File:analystimage2.png|1000px|thumb|Career path <ref>"Possible Career Path". Available at https://www.cyberseek.org/pathway.html</ref>]]<br />
<br />
===Junior/Senior===<br />
Start with an entry-level job in IT. Hands-on experience is often the<br />
most effective way to prepare for certification exams. Start<br />
accumulating work experience with an entry-level role as a cybersecurity<br />
analyst. Many cybersecurity professionals start off in more general IT<br />
roles. The skills, practices, and technologies you’ll use as a<br />
cybersecurity professional will continue to evolve along with computer<br />
and network technology. The desire to learn, ability to problem solve,<br />
and attention to detail will serve you well in this field. Other, more<br />
technical skills and technologies to learn include:<ref name="certification">Popular Cyber Security Certificates [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications [Accessed 25 April 2022].</ref><br />
<br />
====SIEM tools (security information and event management)====<br />
Security Information and Event Management (SIEM) is a set of tools<br />
and services offering a holistic view of an organization’s information<br />
security. SIEM works by combining two technologies:<br />
<li>Security information management (SIM), which collects data from log<br />
files for analysis and reports on security threats and events, and</li><br />
<li>security event management (SEM), which conducts real-time system<br />
monitoring, notifies network admins about important issues and<br />
establishes correlations between security events. There are a number of<br />
security information and event management solutions on the market.<br />
ArcSight ESM, IBM QRadar and Splunk are among the most popular. <ref name="SIEM">Application security, SIEM [Online]. Available: https://www.imperva.com/learn/application-security/siem/. [Accessed 27 4 2022].</ref></li><br />
<br />
====Firewalls, Intrusion Detection Systems (IDS), and Intrusion Prevention Systems(IPS)====<br />
Firewalls can be two types, hardware and software firewalls. Software<br />
firewall is a firewall that is installed on a computer or server, and<br />
tasked with network security. It works with a wide variety of other<br />
technology security solutions to provide more robust and cohesive<br />
security for enterprises of all sizes. When a software firewall is<br />
installed on a server, it opens up like an umbrella of protection over<br />
all other computers connected to the network. It is able to monitor both<br />
incoming and outgoing traffic for potential risk or suspicious user<br />
behavior, and also makes setting security policies much easier, faster<br />
and more flexible. Hardware firewall is positioned between the network<br />
and devices, allowing traffic to funnel through the firewall for a close<br />
inspection and analysis. A hardware firewall, a term often<br />
interchangeable with network or next-generation firewall, protects the<br />
network gateways for an enterprise. Hardware firewall is physical<br />
hardware, installed between network elements and connected devices, and<br />
is tasked with filtering traffic for cyber threat to the network or<br />
devices. Filtering out unauthorized or suspicious users based on traffic<br />
analysis is one of the biggest benefits of hardware firewall. <ref name="sangfor">Sangfor, "What is Software Firewall? Difference between Hardware Firewall and Software Firewall, [Online]. Available: https://www.sangfor.com/blog/cybersecurity/what-is-software-firewall-difference-between-hardware-firewall-and-software-firewall [Accessed 26 4 2022].</ref><br />
<br />
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems<br />
(IPS) are both parts of the network infrastructure. IDS/IPS compare<br />
network packets to a cyberthreat database containing known signatures of<br />
cyberattacks — and flag any matching packets. IDS doesn’t alter the<br />
network packets in any way, whereas IPS prevents the packet from<br />
delivery based on the contents of the packet, much like how a firewall<br />
prevents traffic by IP address. <ref name="Varonis">Varonis, "What is Software Firewall? IDS vs. IPS: What is the Difference?, [Online]. Available: https://www.varonis.com/blog/ids-vs-ips [Accessed 26 4 2022].</ref><br />
<br />
====Digital forensics====<br />
Digital forensics is a branch of forensic science that focuses on<br />
identifying, acquiring, processing, analyzing, and reporting on data<br />
stored electronically. Electronic evidence is a component of almost all<br />
criminal activities and digital forensics support is crucial for law<br />
enforcement investigations. Electronic evidence can be collected from a<br />
wide array of sources, such as computers, smartphones, remote storage,<br />
unmanned aerial systems, shipborne equipment, and more.<ref name="interpol">Interpol, "Digital forensics". Available: https://www.interpol.int/How-we-work/Innovation/Digital-forensics. [Accessed 28 4 2022].</ref> <br />
Investigative process of digital forensics can be divided into several stages. There are four major stages: preservation, collection,<br />
examination, and analysis. All these four stages need a deep understanding of computers, technology across a broad spectrum, and cybersecurity principles and<br />
practices, a working knowledge of computers, networks, and coding, in-depth investigative abilities, critical-thinking skills and analytical talent the ability to effectively communicate and work with a<br />
wide range of people. <ref name="ecpi">"Digital forensics". Available: https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me. [Accessed 26 4 2022].</ref><br />
<br />
====Mobile device management====<br />
Mobile device management (MDM) is software that allows IT<br />
administrators to control, secure and enforce policies on smartphones,<br />
tablets and other endpoints. Mobile device management software emerged<br />
in the early 2000s as a way to control and secure the personal digital<br />
assistants and smartphones that business workers began to use. The<br />
consumer smartphone boom that started with the launch of the Apple<br />
iPhone in 2007 led to the bring your own device (BYOD) trend, which<br />
fueled further interest in MDM.<ref name="techtarget">Techtarget, "Mobile Device Management". Available: https://www.techtarget.com/searchmobilecomputing/definition/mobile-device-management [Accessed 27 4 2022].</ref><br />
<br />
====Data management====<br />
Sometimes the data management is neglected, but this part has a<br />
crucial role when learning for good cyber security practices. Majority<br />
of cyber security programs include a special courses on data management.<br />
Data management is a method of organizing and maintaining data processes<br />
that are required in almost every business operations. The benefits of<br />
data management can be found accounting, statistics, logistics planning<br />
and other disciplines including corporate computing.<ref name="GlobalUni">Global Universities, "MSc Data Management and Cyber Security". Available: https://globaluniversities.in/msc-data-management-cyber-security. [Accessed 26 Apr 2022].</ref><br />
Data governance (and management) play a fundamental role in<br />
protecting an organization’s data. Ensuring that the right people have<br />
the right access and that appropriate security controls are in place to<br />
protect each system or service, based on the criticality or sensitivity<br />
of the data sets these contain. <ref name="CyberMagazine">Cyber Security Magazine, "The Role of Data Governance in Cybersecurity". Available: https://cybersecurity-magazine.com/the-role-of-data-governance-in-cybersecurity/?utm_source=rss&amp;utm_medium=rss&amp;utm_campaign=the-role-of-data-governance-in-cybersecurity. [Accessed 26 Apr 2022].</ref><br />
<br />
====Application security development====<br />
Application security describes security measures at the application<br />
level that aim to prevent data or code within the app from being stolen<br />
or hijacked. It encompasses the security considerations that happen<br />
during application development and design, but it also involves systems<br />
and approaches to protect apps after they get deployed. Application<br />
security may include hardware, software, and procedures that identify or<br />
minimize security vulnerabilities.<ref name="vmware">VmWare, "What is application security?". Available: https://www.vmware.com/topics/glossary/content/application-security.html [Accessed 28 April 2022].</ref><br />
Application security development is important to ensure that your<br />
application is free from coding errors and bugs. And controls the risk<br />
and helps safeguard against security vulnerabilities. Application<br />
security development is the process of making applications more secure<br />
by finding and fixing security vulnerabilities. This is often done by<br />
enforcing software security best practices and using application<br />
security testing tools. <br />
<ref name="perforce">Perforce, "Application Security Development Best Practices". Available: https://www.perforce.com/blog/kw/application-security-development-best-practices. [Accessed 28 April 2022].</ref><br />
<br />
====Audit and compliance knowledge====<br />
A cyber security audit is designed to be a comprehensive review and<br />
analysis of your business’s IT infrastructure. It identifies threats and<br />
vulnerabilities, exposing weaknesses and high-risk practices.<br />
Regulations such as the EU GDPR (General Data Protection Regulation) can<br />
impose hefty penalties in the event of a breach that results in<br />
exploited data. A cyber security audit will help mitigate the<br />
consequences of a breach and demonstrate that your organization has<br />
taken the necessary steps to protect client and company data. <ref name="cyforsecure">Cyfor Secure, "What is a Cyber Security Audit and how can it help your organisation?". Available: https://cyforsecure.co.uk/services/cyber-assessment/cyber-security-audit/. [Accessed 28 April 2022].</ref><br />
<br />
Cybersecurity compliance is the organizational risk management method<br />
aligned with pre-defined security measures &amp; controls on how data<br />
confidentiality is ensured by its administrative procedures.<ref name="nordlayer">NordLayer, "Cybersecurity compliance: Everything you need to know". Available: https://nordlayer.com/blog/cybersecurity-compliance-everything-you-need-to-know/. [Accessed 28 April 2022].</ref><br />
All needed skills are developed through courses and certification.<br />
<br />
===Entry-Level Incident Response Positions===<br />
It is not always possible to advance to the position of incident<br />
responder in a straight line. Many professionals advance from entry- to<br />
mid-level positions before becoming a real incident responder or a<br />
member of a computer emergency response team (CERT).<br /><br />
These are some examples: <ref name="Infosec">Infosec, "Incident Responder Career Roadmap: From Entry Level to Executive". Available: https://resources.infosecinstitute.com/topic/incident-responder-career-roadmap-entry-level-executive/ [Accessed 28 April 2022].</ref></p><br />
<ul><br />
<li><h5 id="network-administrator">Network administrator</h5><br />
<p>This position’s experience will help potential incident responders<br />
develop networking skills. Attention to detail, as well as the ability<br />
to sift through system configurations, site layouts, and general network<br />
and communication setups, are essential in this field.</p></li><br />
<li><h5 id="system-administrator">System administrator</h5><br />
<p>Another crucial beginning point for an incident responder is to learn<br />
how to manage resources inside your organization as well as user<br />
behavior. Understanding the potential damage that users, inadequate<br />
security setups, and ineffective IT policies and procedures can cause on<br />
your network can provide prospective candidates with insight into the<br />
human component of an incident.</p></li><br />
<li><h5 id="security-administrator">Security administrator</h5><br />
<p>In such a position, basic hacking skills, penetration testing, and<br />
intrusion detection are all learned, which are crucial incident<br />
responder skills when trying to replicate a breach or attack.<br />
Understanding the paths a cybercriminal will take when attempting to<br />
damage or obtain access to a system can greatly simplify the work of<br />
reverse engineering the incident.</p></li><br />
</ul><br />
<br />
=== Mid-Level Incident Response Positions ===<br />
<ul><br />
<li><h5<br />
id="computer-security-incident-response-team-csirt-engineer">Computer<br />
security incident response team (CSIRT) engineer</h5></li><br />
<li><h5 id="cyber-incident-responder">Cyber incident responder</h5></li><br />
<li><h5 id="incident-response-engineer">Incident response<br />
engineer</h5></li><br />
</ul><br />
<p>While each of these positions is different, they generally require<br />
very similar skills and characteristics in a candidate. At this level,<br />
personal characteristics such as problem solving, time management, and<br />
even presentation skills become more crucial as one’s career evolves<br />
into a management-facing role.</p><br />
<p>Technical skills include the ability to identify and minimize threats<br />
while maintaining communication with management and the rest of your<br />
team. Data analysis and evidence gathering become increasingly crucial,<br />
and the circumstances in which your services are deployed get more<br />
serious.</p><br />
Problem-solving skills are crucial at this level of incident<br />
response, and as the stakes rise, so does the pressure in each<br />
situation. At this level, programming abilities are essential since<br />
incident responders may be needed to reverse engineer malicious code or<br />
even create patches for vulnerable network applications or services. <ref name="coursera">Coursera, "10 Popular Cybersecurity Certifications [2022 Updated]". Available: https://www.coursera.org/articles/popular-cybersecurity-certifications [Accessed 28 April 2022].</ref><br />
<br />
===Senior-Level Incident Response Positions===<br />
<ul><br />
<li><h5 id="intrusion-detection-specialist">Intrusion detection<br />
specialist:</h5></li><br />
</ul><br />
<p>A CISSP certification might help a potential candidate in preparing<br />
for the profession. The role of an intrusion detection specialist is to<br />
find and stop any unwanted communications.</p><br />
<ul><br />
<li><h5 id="incident-manager">Incident manager:</h5></li><br />
</ul><br />
Expected to plan, oversee, manage, and supervise all incident<br />
response team actions. Is in charge of reporting all current events to<br />
senior management and stakeholders, as well as acting as the technical<br />
lead on active incidents for incident responders. Prepares threat and<br />
impact assessments and reports them known to management.<ref name="coursera"></ref><br />
<br />
==Certificates== <br />
There is a vast number of different certificates and the road map to<br />
being a certified professional could be very different<ref name="Coursera">Coursera, "10 Popular Cybersecurity Certifications [2022 Updated]," [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications. [Accessed 30 Apr 2022].</ref><br />
<ref name="NICCS">NICCS, "Cybersecurity Certifications," [Online]. Available: hhttps://niccs.cisa.gov/about-niccs/cybersecurity-certifications. [Accessed 30 Apr 2022].</ref> . One possible<br />
approach is to start with basic certificates from the different branches<br />
of service and move to more specific and demanding focused<br />
certification. Also, some jobs require certain clearances, either from<br />
industry, or from the government. One small selection of different<br />
possible certificates is brought out in following paragraphs.<br />
<br />
Security+ is a CompTIA certification that is considered a basic cert<br />
among cybersecurity professionals. It covers the topics of risk<br />
management and threat assessment.<br />
Network+ is also offered by CompTIA this certification (like the name<br />
implies) focuses on networking infrastructure and operations. It is<br />
considered a foundational certification.<br />
The Certified Information Systems Security Professional (CISSP) is a<br />
more advanced certification designed for cybersecurity professionals<br />
with at least five years of work experience. The certification covers<br />
topics such as architecture, engineering, and management.</p><br />
The Certified Ethical Hacker (CEH) certification is also considered a<br />
more advanced cert because it generally requires that applicants have<br />
multiple years of work experience. The goal of an ethical hacker<br />
certification is to be able to understand how cyber attacks unfold in<br />
order to improve threat assessment and mitigation skills.<ref name="cyberguide">Cybersecurity Guide, "How to become a cybersecurity specialist", [Online]. Available: https://cybersecurityguide.org/careers/security-specialist/. [Accessed 27 April 2022].</ref><br />
This is definitely not all, when one looks for more information, following link could be searched, to get more in depth knowledge about<br />
different possibilities. Hereby, with the help of this matrix a possible taxonomy of different 436 listed certificates in branches are<br />
presented.<ref name="Pauljeremy">"Cybersecurity Roadmap," [Online]. Available: https://pauljerimy.com/2020/10/12/scr-oct-2020-update/. [Accessed 30 Apr 2022].</ref><br />
<br />
[[File:analystimage5.png|1000px|thumb|Certificate matrix <ref>"Certification roadmap". Available at https://pauljerimy.com/security-certification-roadmap</ref>]]<br />
<br />
=== Communication and Network Security===<br />
Communication and network security covers the ability to secure<br />
communication channels and networks. Topics include secure and converges<br />
protocols, wireless networks, cellular networks, hardware operations<br />
(warranty and redundant power), and third-party connectivity. IP<br />
networking are also included in this domain.<br />
===Identity and Access Management===<br />
The identity and access management domain covers the attacks that<br />
target the human gateway to gain access to data. Other topics include<br />
ways to identify users with rights to access the information and<br />
servers. Identity and access management covers the topics of<br />
applications, Single sign-on authentication, privilege escalation,<br />
Kerberos, rule-based or risk-based access control, proofing and<br />
establishment of identity.<br />
===Security Architecture and Engineering===<br />
The security architecture and engineering domain covers important<br />
topics concerning security engineering plans, designs and principles,<br />
Topics include assessing and mitigating information system<br />
vulnerabilities, fundamental concepts of security models and security<br />
architectures in critical areas like access control. Cloud systems,<br />
cryptography, system infiltrations (ransomware, fault-injection and<br />
more) and virtualized systems are also covered in this domain.<br />
===Asset Security===<br />
The Asset Security domain deals with the issues related to the<br />
collection, storage, maintenance, retention and destruction of data. It<br />
also covers knowledge of different roles regarding data handling (owner,<br />
controller and custodian) as well as data protection methods and data<br />
states. Other topics include resource provision, asset classification<br />
and data lifecycle management.<br />
===Security and Risk Management===<br />
The security and risk management domain covers general on skills<br />
related to the implementation of user awareness programs as well as<br />
security procedures. Emphasis is also placed on risk management<br />
concerning the acquisition of new services, hardware and software<br />
(supply chain). Other skills include social engineering defense<br />
mechanisms.<br />
===Security Assessment and Testing===<br />
The security assessment and testing domain deals with all the<br />
techniques and tools used to find system vulnerabilities, weaknesses and<br />
potential areas of concern not addressed by security procedures and<br />
policies. Attack simulations, vulnerability assessment, compliance<br />
checks, and ethical disclosure also fall under this domain.<br />
===Software Security===<br />
The software development security domain deals with implementing<br />
software-based security protocols within environment for which the IT<br />
professional is responsible. Risk analysis, vulnerability identification<br />
and auditing of source codes are all covered in this subset. Additional<br />
topics include software-designed security, maturity models, development<br />
methodologies, open-source and third-party development security.<br />
===Security operations===<br />
The security operations domain covers topics ranging from<br />
investigations and digital forensic to detection and intrusion<br />
prevention tools, sandboxing and firewalls. Topics include user and<br />
entity behavior analytics, threat intelligence (threat hunting and<br />
threat feeds) log management, artifacts (mobile, computer and network),<br />
machine learning and AI-based tools, penetration testing, and<br />
exploitation development. These for sub-domains are lister here.</p><br />
<li>Forensics</li><br />
<li>Incident Handling</li><br />
<li>Penetration Testing</li><br />
<li>Exploitation</li><br />
<br />
==Education==<br />
The entry level monitoring specialist is hired by Estonian<br />
Information System Authority even if there is no formal IT education,<br />
but readiness to learn and moderate knowledge of different operation<br />
systems is enough to start the career. <ref name="cv">cv.ee, "SEIRESPETSIALIST - tule Eesti küberruumi valvuriks!". Available: https://www.cv.ee/en/vacancy/792782/riigi-infosusteemi-amet/seirespetsialist-tule-eesti-kuberruumi-valvuriks [Accessed 28 April 2022].</ref><br />
Nevertheless, like most other high qualification careers jobs falling<br />
under the cybersecurity specialist category require some form of formal<br />
education. However, since cybersecurity specialist jobs can fall across<br />
a wide spectrum of job descriptions and responsibilities, it is possible<br />
to obtain a specialist job after completing many levels of different<br />
computer related education.<br />
If one is looking for a cybersecurity related education, for example<br />
in EU, 137 courses/programs could be found that relate to keyword IT or<br />
cybersecurity. <ref name="enisa">ENISA (European Union Agency for Cybersecurity), "Cybersecurity Education-Cybersecurity Higher Education Database". Available: https://www.enisa.europa.eu/topics/cybersecurity-education/education-map/education-courses [Accessed 26 April 2022].</ref><br />
Also, there is a great amount of discussion, if cyber security<br />
professional should have a degree or would be certification just enough.<br />
One interesting table is produces by Franklin University that compares<br />
benefits and/or drawbacks of each type of credential.<br />
<ref name="franklin">Franklin University, "Is Getting a Master's Degree in Cyber Security Worth It?". Available: https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it [Accessed 28 April 2022].</ref><br />
[[File:Analystimage7.png|700px|thumb|Comparison degree vs Certificate <ref>"Comparison Table". Available at https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</ref>]]<br />
Certifications are generally good for people with little practical<br />
experience because they are known quantities in the industry and can<br />
help you get your foot in the door. They set a minimum knowledge bar.<br />
But some certifications are viewed more favorably than others.<br />
Certifications with renewal requirements are viewed better by hiring<br />
managers, but they also more costly in the long run because of the need<br />
for continuing education. Certifications are also good for showing<br />
in-depth expertise in a specialization within cybersecurity. Depending<br />
on your career goals, it may be advantageous to have a master’s<br />
degree—which shows your breadth of knowledge, critical thinking and<br />
leadership skills—and a certificate—which shows specific skill<br />
competency.<ref name="franklin"></ref><br />
As IT (Cyber) Security is still a relatively young discipline,<br />
universities and colleges are still figuring out which is the best<br />
approach for their degrees. Study programmes and curricula in Cyber<br />
Security are different. In general, here are the duration of Cyber<br />
Security degrees:<br />
<ref name="studyportal">Studyportals, "Why You Should Study a Cyber Security Degree in 2022". Available: https://www.mastersportal.com/articles/2722/why-you-should-study-a-cyber-security-degree-in-2022.html [Accessed 28 April 2022].</ref><br />
<ul><br />
<li><p>Bachelor’s degrees in Cyber Security take 3 or 4 years in most<br />
countries.</p></li><br />
<li><p>Master’s courses in Cyber Security take between 1-2 years to<br />
complete.</p></li><br />
<li><p>PhD programmes in Cyber Security last 3-5 years. Some only take 1<br />
or 2 years, but they are less common.</p><br />
</li><br />
</ul><br />
<br />
Generalization could me made that on bachelor level the general<br />
knowledge about the cyber issues are obtained. On master level the<br />
specialization courses are taken and the person can choose more specific<br />
topics to study. It is on master level where strengths of the cyber<br />
specialist can be developed further and up-do date knowledge obtained in<br />
specifics. PhD is serious science and involves teaching, lot of<br />
scientific work and writing for publications.<br />
<br />
==Salary==<br />
<p>Even if the salary can be very different, compared to the skills and<br />
experience, an generalization can be made. Cyber Security professionals<br />
in CSIRT, and in other entities earn quite well, from the start. First,<br />
some comparison from the United States. The average CSIRT analyst salary<br />
in the USA is $97,500 per year or $50 per hour. Entry level positions<br />
start at $48,875 per year while most experienced workers make up to<br />
$135,373 per year.</p><br />
<p>https://www.talent.com/salary?job=csirt+analyst</p><br />
<p>There are multiple positions you can occupy in this field. They have<br />
in common great salaries and high demand for technical skills, attention<br />
to details, problem-solving mentality, and the ability to analyze risks.<br />
Here are the average annual salaries in the United States, according to<br />
Payscale:</p><br />
<p>https://www.payscale.com/</p><br />
<ul><br />
<li><p>Cryptographer – 100,000 USD</p></li><br />
<li><p>Information Security Officer – 91,000 USD</p></li><br />
<li><p>Security Assessor – 90,000 USD</p></li><br />
<li><p>Security Engineer – 88,000 USD</p></li><br />
<li><p>Penetration Tester – 81,000 USD</p></li><br />
<li><p>Forensics Expert – 71,000 USD</p></li><br />
<li><p>Security Administrator – 65,000 USD</p><br />
<p>https://www.mastersportal.com/articles/2722/why-you-should-study-a-cyber-security-degree-in-2022.html</p><br />
<p>When looking into salaries in Estonia, one can find that there is a<br />
discussion that private sector is taking a toll from the public sector,<br />
and that the salaries in important agencies, as Information System<br />
Authority loose their employees to the better paid positions in private<br />
sector.</p><br />
<p>https://digi.geenius.ee/rubriik/uudis/kui-palju-riigi-jaoks-olulised-it-tootajad-tegelikult-palka-saavad/<br />
https://tehnika.postimees.ee/6887428/riigi-it-tootajate-palgamaarad-kasvasid</p><br />
<p>But there is also a different view that average private sector worker<br />
could be hired as a top specialist in public sector and then the payment<br />
is higher. Nevertheless, it seems that the average payment in cyber<br />
security sector is any way higher that in other parts of the<br />
e-services.</p><br />
<p>https://digi.geenius.ee/rubriik/uudis/5000-eurostest-palkadest-it-tootajad-saavadki-palju-palka/</p></li><br />
</ul><br />
==SOC==<br />
<p>A SOC is a facility where an organization’s network, applications,<br />
and endpoints are monitored and defended. The term was adapted from<br />
network operations centers (NOCs), where large telecommunication or<br />
corporate networks are monitored. When network security became more of a<br />
concern, security teams were formed within the NOCs, and eventually spun<br />
off into larger organizations of their own as the responsibilities of<br />
security teams grew increasingly complex and specialized. The security<br />
staff working in a security operations center are often called the SOC<br />
team.</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<p>Functions of the SOC team include, but are not limited to:</p><br />
<ol type="1"><br />
<li>Taking inventory of resources, to get a better understanding of the<br />
structure they are protecting.</li><br />
<li>Maintanence of the system, by constantly making updates and adding<br />
safeguards.</li><br />
<li>Monitoring the network for abnormalities with special tools.</li><br />
<li>Threat analysis of new attacks and vulnerabilities.</li><br />
<li>Responding to attacks, by acting as “first responders”. The SOC team<br />
will shut down and/or isolate endpoints, deleting files and lowering the<br />
impact as fast as possible.</li><br />
<li>Recovery of system stability and lost data. This may be done using<br />
backups, restarting endpoints or reconfiguring systems.</li><br />
<li>Logging all actions on the system, to be later used for analysis or<br />
forensics after an attack.</li><br />
<li>Investigating the root cause of an attack.</li><br />
<li>Auditing their own actions, to be in line with regulations of the<br />
organization, industry or governing body.</li><br />
</ol><br />
<p>https://www.trellix.com/en-us/security-awareness/operations/what-is-soc.html</p><br />
==CSIRT==<br />
<p>A CSIRT is a group that responds to security incidents when they<br />
occur. Key responsibilities of a CSIRT include: <br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<ul><br />
===Creating and maintaining an incident response plan (IRP)===<br />
An incident response plan (IRP) is a set of written instructions for<br />
detecting, responding to and limiting the effects of an information<br />
security event. Incident response plans provide instructions for<br />
responding to many potential scenarios, including data breaches, denial<br />
of service/distributed denial of service attacks, firewall breaches,<br />
virus or malware outbreaks or insider threats. Without an incident<br />
response plan in place, organizations may either not detect the attack<br />
in the first place, or not follow proper protocol to contain the threat<br />
and recover from it when a breach is detected.<br />
<p>https://www.stratacore.com/incidentresponseplan</p></li><br />
===Investigating and analyzing incidents===<br />
CSIRTs are also involved in improvement activities. After major<br />
computer security incidents occur, or when incidents are not handled in<br />
a timely or effective manner, a CSIRT will generally perform a<br />
postmortem of the incident and its response. This postmortem will<br />
identify the strengths and weakness of the response effort. Such reviews<br />
can identify weaknesses and holes in systems, infrastructure defenses,<br />
or policies that allowed the incident to take place. It can also<br />
identify problems with communication channels, interfaces, and<br />
procedures that inhibited the efficient resolution of the reported<br />
problem.<br />
<p>https://www.cisa.gov/uscert/bsi/articles/best-practices/incident-management/defining-computer-security-incident-response-teams</p><br />
<br />
===Managing internal communications and updates during or immediately after incidents occur===<br />
===Communicating with employees, shareholders, customers, and the press about incidents as needed===<br />
<p>There are various services within the CSIRT Services Framework that<br />
address communications, as they relate to security operations and<br />
incident response services. Some of these include Information Security<br />
Incident Coordination, Crisis Management Support, Vulnerability<br />
Disclosure, Situational Awareness Communication, and Awareness Building,<br />
to name a few. Sharing information and communicating with the general<br />
public and/or your constituency is appropriate in many different<br />
scenarios. These can range from proactive communications to reactive<br />
communications. Each scenario may be unique, and careful consideration<br />
should be given to when to release information to the public and what<br />
information should be released.</p><br />
<br />
<p>https://resources.sei.cmu.edu/asset_files/Handbook/2021_002_001_651819.pdf</p><br />
<br />
===Remediating incidents===<br />
Threat remediation is a strong and capable tool for fighting the<br />
cyber security compromises. As the word ‘remedy’ suggests, remediation<br />
process involves the treatment of a security breach. With the<br />
remediation practices, your cyber security team is able to eliminate<br />
suspicious activities and malicious attacks in the form of malware,<br />
ransomware, phishing and such. Even if you ‘kill’ the suspicious<br />
activity, the attackers can remain in your systems. If you want to<br />
contaminate and end the problem for good, your remediation processes<br />
must involve the detection of the cause. <ref name="logsign">Logsign, "What-is-remediation-in-cyber-security". Available: https://www.logsign.com/blog/what-is-remediation-in-cyber-security/. [Accessed 28 Apr 2022].</ref><br />
<br />
===Recommending technology, policy, governance, and training changes after security incidents===<br />
After all these actions, the SCIRT must contribute to the development<br />
of better policies, practices and has to recommend improvements. They<br />
are not working in the vacuum and their work has to create new and<br />
better standards for cyber security. <ref name="exabeam">Exabeam, "CSIRT". Available: https://www.exabeam.com/incident-response/csirt/ [Accessed 28 APr 2022].</ref><br />
<br />
==CERT==<br />
<p>The term “computer emergency response team” was coined in 1988. In<br />
response to the Morris worm attack that impacted thousands of servers on<br />
the Internet, DARPA funded the formation of the Computer Emergency<br />
Response Team Coordination Center (CERT-CC) at Carnegie Mellon<br />
University. The goal of CERT-CC was to help protect the internet by<br />
collecting and disseminating information on critical security<br />
vulnerabilities. Several other countries formed similar centers using<br />
the same acronym (despite threats of legal action by Carnegie Mellon for<br />
trademark infringement). Now the term CERT refers to any emergency<br />
response team that deals with cyber threats. Many people use CERT-CC<br />
interchangeably with CSIRT, though the charter of a CERT is information<br />
sharing in order to help other response teams respond to threats against<br />
their own infrastructure.</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<p>In general, the designation of CERT is helpful in applying real-world<br />
solutions to various cybersecurity problems. They may be government<br />
contractors or employees of a major corporation. For example, the U.S.<br />
Computer Emergency Readiness Team (US-CERT) operates under the U.S.<br />
Department of Homeland Security.</p><br />
<p>https://www.techopedia.com/definition/31003/computer-emergency-response-team-cert</p><br />
<p>In Estonia CERT is designated as CERT-EE. It was established in 2006,<br />
as an organization responsible for the management of security incidents<br />
in .ee computer networks. It is also a national contact point for<br />
international co-operation in the field of IT security.</p><br />
<p>https://www.ria.ee/en/cyber-security/cert-ee.html</p><br />
===Difference between SOC/CSIRT/CERT===<br />
<p>How CSIRTs differ from CERTs and SOCs There are overlapping<br />
responsibilities between a community emergency response team (CERT),<br />
computer security incident response team (CSIRT), and security<br />
operations center (SOC). To add to this confusion, frequently, the terms<br />
CERT and CSIRT are used interchangeably, despite the important<br />
differences.</p><br />
<figure><br />
<img src="images/image3.png" alt="Overlapping in images/image3.png" /><br />
<figcaption aria-hidden="true">Overlapping in<br />
images/image3.png</figcaption><br />
</figure><br />
==Understand the primary roles and characteristics of a CERT, CSIRT, and SOC.==<br />
<p>So, using strict definitions, a CERT collects and disseminates<br />
security information, typically for the benefit of a country or an<br />
industry. A CSIRT is a cross-functional team that responds to incidents<br />
on behalf of a country or an organization. A SOC is where a country or<br />
organization monitors and defends its network, servers, applications,<br />
and endpoints.</p><br />
<figure><br />
<img src="images/image4.png" alt="table of explanation images/image4" /><br />
<figcaption aria-hidden="true">table of explanation<br />
images/image4</figcaption><br />
</figure><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
==Future==<br />
<p>And the Cyber security problem is only getting bigger. According to a<br />
report published by Accenture, the number of cyber security breaches<br />
increased by 11 percent from 2017 to 2018. The cost of such breaches is<br />
astronomical–about $600 billion worldwide, according to the Economic<br />
Impact of Cybercrime report.</p><br />
<p>https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me</p><br />
<p>Job projections for cybersecurity are staggering. The Bureau of Labor<br />
Statistics in US predicts that careers in the cybersecurity field will<br />
grow by 32% by 2028. That makes cybersecurity one of the top 10<br />
fastest-growing jobs in the country. In the United States alone, jobs<br />
for Information Security Analysts are expected to grow by 15% by<br />
2024.</p><br />
<p>https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</p><br />
<p>Most likely this trend is also similar in other countries.</p><br />
<p>When checking Estonian job portals, there is a constant need for<br />
people for cyber security related positions. Also, linkedin search gives<br />
approximately 30 vacancies immediately. There are banks, logistics<br />
companies, e-shops, and software producers.</p><br />
<p>https://ee.linkedin.com/jobs/cyber-security-jobs?countryRedirected=1&amp;position=1&amp;pageNum=0</p><br />
<p>Trends that affect companies create need for constant cyber security<br />
services. Increasing number of home/remote offices require secure<br />
corporate networks and security of remote devices. One example is from<br />
this year, when sloppy remote desktop set-up paralyzed systems of 17<br />
companies.</p><br />
<p>https://www.aripaev.ee/uudised/2022/04/20/ria-lohakas-kaugtoolaua-seadistus-halvas-martsis-vahemalt-17-juhul-ettevotete-it-susteemid</p><br />
<p>Also, no service can exists without robust infrastructure - servers,<br />
databases, applications. As all previously mentioned devices and<br />
services are at constant scanning and surveillance. So, the breach<br />
detection and immediate action demands 24/7 services. Even if lot of<br />
things could be automated, there is a need for human specialists (at<br />
least, at the moment). Third growing field is also a forensic<br />
investigation, as every attack must be investigated in order to be ready<br />
to repel next attacks. So data recovery and evidence collection is<br />
another important field of work that need skilled and professional<br />
workers.</p><br />
<p>Even, if the specifics of the entity, be it CSIRT, CERT or SOC, are<br />
different, the fundamentals of the work are the same. Professional<br />
knowledge of the networks, operational systems, hardware, scripting, and<br />
several other wider IT related knowledge is needed. As there is no<br />
single way to reach to it, every single person can find one’s strongest<br />
sides and develop them with knowledge of weaker side, in order to know,<br />
when to as for help.</p><br />
<br />
</body><br />
</html></div>Mavaldhttps://wiki.itcollege.ee/index.php?title=File:Analystimage7.png&diff=142209File:Analystimage7.png2022-05-01T15:33:52Z<p>Mavald: </p>
<hr />
<div></div>Mavaldhttps://wiki.itcollege.ee/index.php?title=Hiring_a_Cyber_Security_Incident_Analyst&diff=142207Hiring a Cyber Security Incident Analyst2022-05-01T15:33:14Z<p>Mavald: /* Education */</p>
<hr />
<div>==A Cyber Security Incident Analyst==<br />
<br />
[[File:image1.png|600px|thumb|Job advertisement <ref>"Job Advertisement". Available at https://www.projectpeople.com/jobs/</ref>]]<br />
===Cyber security incident analyst in SOC/CSIRT/CERT===<br />
This article delves into the job title of Cyber Security Incident<br />
Analyst and provides an overview of the acronyms SOC/CSIRT/CERT. A brief<br />
history of the job is discussed here, as well as a possible career path,<br />
education, experience, and other characteristics required for work in<br />
computer security-related organizations. The article also provides a<br />
brief history of SOC/CSIRT/CERT, as well as a comparison of their<br />
differences and similarities.<br />
===Cyber Security Incident Analyst Skill Set===<br />
What skill set is expected from the Cyber Security Incident Analyst? Below written lines are taken from the same job advertisement depicted<br />
on the left side of this article:<br />
As a Security Incident Analyst your responsibilities will include:<br />
<ul><br />
<li>Continuous monitoring of security tooling</li><br />
<li>Performing regular and ad-hoc vulnerability assessments</li><br />
<li>Carrying out ‘spot checks’</li><br />
<li>Reporting vulnerabilities to the PVG via the alerts system</li><br />
<li>Maintaining and documenting logging systems</li><br />
<li>Developing centralized logging, reporting and intelligence<br />
platforms</li><br />
<li>‘Light touch’ penetration testing with open source tooling<br />
(Metasploit)</li><br />
</ul><br />
Knowledge &amp; Experience required:<br />
<ul><br />
<li>SOC, CSIRT or CERT operational environment experience</li><br />
<li>Windows / Linux experience</li><br />
<li>TCP /IP networking protocol knowledge</li><br />
<li>Experience reviewing and analyzing Security Events from various<br />
monitoring and logging sources</li><br />
<li>Experience in website and web application security assessment or<br />
penetration testing</li><br />
<li>Experience of using Metasploit</li><br />
<li>Scripting knowledge using BASH, Python, Perl, Ruby</li><br />
<li>Skills in Host and Network Forensics</li><br />
</ul><br />
As one can see the description of the duties is wide and also the<br />
knowledge and experience that is required is noteworthy. So, where to<br />
start to find out the way to get this kind of knowledge and<br />
expertize.<br />
===Possible career path===<br />
Next part of the paper is aiming to depict a possible ways, how to<br />
develop oneself, and move along the career pathway in cybersecurity<br />
field. Topics of development, education, experience and certification<br />
are covered.<br />
[[File:analystimage2.png|1000px|thumb|Career path <ref>"Possible Career Path". Available at https://www.cyberseek.org/pathway.html</ref>]]<br />
<br />
===Junior/Senior===<br />
Start with an entry-level job in IT. Hands-on experience is often the<br />
most effective way to prepare for certification exams. Start<br />
accumulating work experience with an entry-level role as a cybersecurity<br />
analyst. Many cybersecurity professionals start off in more general IT<br />
roles. The skills, practices, and technologies you’ll use as a<br />
cybersecurity professional will continue to evolve along with computer<br />
and network technology. The desire to learn, ability to problem solve,<br />
and attention to detail will serve you well in this field. Other, more<br />
technical skills and technologies to learn include:<ref name="certification">Popular Cyber Security Certificates [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications [Accessed 25 April 2022].</ref><br />
<br />
====SIEM tools (security information and event management)====<br />
Security Information and Event Management (SIEM) is a set of tools<br />
and services offering a holistic view of an organization’s information<br />
security. SIEM works by combining two technologies:<br />
<li>Security information management (SIM), which collects data from log<br />
files for analysis and reports on security threats and events, and</li><br />
<li>security event management (SEM), which conducts real-time system<br />
monitoring, notifies network admins about important issues and<br />
establishes correlations between security events. There are a number of<br />
security information and event management solutions on the market.<br />
ArcSight ESM, IBM QRadar and Splunk are among the most popular. <ref name="SIEM">Application security, SIEM [Online]. Available: https://www.imperva.com/learn/application-security/siem/. [Accessed 27 4 2022].</ref></li><br />
<br />
====Firewalls, Intrusion Detection Systems (IDS), and Intrusion Prevention Systems(IPS)====<br />
Firewalls can be two types, hardware and software firewalls. Software<br />
firewall is a firewall that is installed on a computer or server, and<br />
tasked with network security. It works with a wide variety of other<br />
technology security solutions to provide more robust and cohesive<br />
security for enterprises of all sizes. When a software firewall is<br />
installed on a server, it opens up like an umbrella of protection over<br />
all other computers connected to the network. It is able to monitor both<br />
incoming and outgoing traffic for potential risk or suspicious user<br />
behavior, and also makes setting security policies much easier, faster<br />
and more flexible. Hardware firewall is positioned between the network<br />
and devices, allowing traffic to funnel through the firewall for a close<br />
inspection and analysis. A hardware firewall, a term often<br />
interchangeable with network or next-generation firewall, protects the<br />
network gateways for an enterprise. Hardware firewall is physical<br />
hardware, installed between network elements and connected devices, and<br />
is tasked with filtering traffic for cyber threat to the network or<br />
devices. Filtering out unauthorized or suspicious users based on traffic<br />
analysis is one of the biggest benefits of hardware firewall. <ref name="sangfor">Sangfor, "What is Software Firewall? Difference between Hardware Firewall and Software Firewall, [Online]. Available: https://www.sangfor.com/blog/cybersecurity/what-is-software-firewall-difference-between-hardware-firewall-and-software-firewall [Accessed 26 4 2022].</ref><br />
<br />
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems<br />
(IPS) are both parts of the network infrastructure. IDS/IPS compare<br />
network packets to a cyberthreat database containing known signatures of<br />
cyberattacks — and flag any matching packets. IDS doesn’t alter the<br />
network packets in any way, whereas IPS prevents the packet from<br />
delivery based on the contents of the packet, much like how a firewall<br />
prevents traffic by IP address. <ref name="Varonis">Varonis, "What is Software Firewall? IDS vs. IPS: What is the Difference?, [Online]. Available: https://www.varonis.com/blog/ids-vs-ips [Accessed 26 4 2022].</ref><br />
<br />
====Digital forensics====<br />
Digital forensics is a branch of forensic science that focuses on<br />
identifying, acquiring, processing, analyzing, and reporting on data<br />
stored electronically. Electronic evidence is a component of almost all<br />
criminal activities and digital forensics support is crucial for law<br />
enforcement investigations. Electronic evidence can be collected from a<br />
wide array of sources, such as computers, smartphones, remote storage,<br />
unmanned aerial systems, shipborne equipment, and more.<ref name="interpol">Interpol, "Digital forensics". Available: https://www.interpol.int/How-we-work/Innovation/Digital-forensics. [Accessed 28 4 2022].</ref> <br />
Investigative process of digital forensics can be divided into several stages. There are four major stages: preservation, collection,<br />
examination, and analysis. All these four stages need a deep understanding of computers, technology across a broad spectrum, and cybersecurity principles and<br />
practices, a working knowledge of computers, networks, and coding, in-depth investigative abilities, critical-thinking skills and analytical talent the ability to effectively communicate and work with a<br />
wide range of people. <ref name="ecpi">"Digital forensics". Available: https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me. [Accessed 26 4 2022].</ref><br />
<br />
====Mobile device management====<br />
Mobile device management (MDM) is software that allows IT<br />
administrators to control, secure and enforce policies on smartphones,<br />
tablets and other endpoints. Mobile device management software emerged<br />
in the early 2000s as a way to control and secure the personal digital<br />
assistants and smartphones that business workers began to use. The<br />
consumer smartphone boom that started with the launch of the Apple<br />
iPhone in 2007 led to the bring your own device (BYOD) trend, which<br />
fueled further interest in MDM.<ref name="techtarget">Techtarget, "Mobile Device Management". Available: https://www.techtarget.com/searchmobilecomputing/definition/mobile-device-management [Accessed 27 4 2022].</ref><br />
<br />
====Data management====<br />
Sometimes the data management is neglected, but this part has a<br />
crucial role when learning for good cyber security practices. Majority<br />
of cyber security programs include a special courses on data management.<br />
Data management is a method of organizing and maintaining data processes<br />
that are required in almost every business operations. The benefits of<br />
data management can be found accounting, statistics, logistics planning<br />
and other disciplines including corporate computing.<ref name="GlobalUni">Global Universities, "MSc Data Management and Cyber Security". Available: https://globaluniversities.in/msc-data-management-cyber-security. [Accessed 26 Apr 2022].</ref><br />
Data governance (and management) play a fundamental role in<br />
protecting an organization’s data. Ensuring that the right people have<br />
the right access and that appropriate security controls are in place to<br />
protect each system or service, based on the criticality or sensitivity<br />
of the data sets these contain. <ref name="CyberMagazine">Cyber Security Magazine, "The Role of Data Governance in Cybersecurity". Available: https://cybersecurity-magazine.com/the-role-of-data-governance-in-cybersecurity/?utm_source=rss&amp;utm_medium=rss&amp;utm_campaign=the-role-of-data-governance-in-cybersecurity. [Accessed 26 Apr 2022].</ref><br />
<br />
====Application security development====<br />
Application security describes security measures at the application<br />
level that aim to prevent data or code within the app from being stolen<br />
or hijacked. It encompasses the security considerations that happen<br />
during application development and design, but it also involves systems<br />
and approaches to protect apps after they get deployed. Application<br />
security may include hardware, software, and procedures that identify or<br />
minimize security vulnerabilities.<ref name="vmware">VmWare, "What is application security?". Available: https://www.vmware.com/topics/glossary/content/application-security.html [Accessed 28 April 2022].</ref><br />
Application security development is important to ensure that your<br />
application is free from coding errors and bugs. And controls the risk<br />
and helps safeguard against security vulnerabilities. Application<br />
security development is the process of making applications more secure<br />
by finding and fixing security vulnerabilities. This is often done by<br />
enforcing software security best practices and using application<br />
security testing tools. <br />
<ref name="perforce">Perforce, "Application Security Development Best Practices". Available: https://www.perforce.com/blog/kw/application-security-development-best-practices. [Accessed 28 April 2022].</ref><br />
<br />
====Audit and compliance knowledge====<br />
A cyber security audit is designed to be a comprehensive review and<br />
analysis of your business’s IT infrastructure. It identifies threats and<br />
vulnerabilities, exposing weaknesses and high-risk practices.<br />
Regulations such as the EU GDPR (General Data Protection Regulation) can<br />
impose hefty penalties in the event of a breach that results in<br />
exploited data. A cyber security audit will help mitigate the<br />
consequences of a breach and demonstrate that your organization has<br />
taken the necessary steps to protect client and company data. <ref name="cyforsecure">Cyfor Secure, "What is a Cyber Security Audit and how can it help your organisation?". Available: https://cyforsecure.co.uk/services/cyber-assessment/cyber-security-audit/. [Accessed 28 April 2022].</ref><br />
<br />
Cybersecurity compliance is the organizational risk management method<br />
aligned with pre-defined security measures &amp; controls on how data<br />
confidentiality is ensured by its administrative procedures.<ref name="nordlayer">NordLayer, "Cybersecurity compliance: Everything you need to know". Available: https://nordlayer.com/blog/cybersecurity-compliance-everything-you-need-to-know/. [Accessed 28 April 2022].</ref><br />
All needed skills are developed through courses and certification.<br />
<br />
===Entry-Level Incident Response Positions===<br />
It is not always possible to advance to the position of incident<br />
responder in a straight line. Many professionals advance from entry- to<br />
mid-level positions before becoming a real incident responder or a<br />
member of a computer emergency response team (CERT).<br /><br />
These are some examples: <ref name="Infosec">Infosec, "Incident Responder Career Roadmap: From Entry Level to Executive". Available: https://resources.infosecinstitute.com/topic/incident-responder-career-roadmap-entry-level-executive/ [Accessed 28 April 2022].</ref></p><br />
<ul><br />
<li><h5 id="network-administrator">Network administrator</h5><br />
<p>This position’s experience will help potential incident responders<br />
develop networking skills. Attention to detail, as well as the ability<br />
to sift through system configurations, site layouts, and general network<br />
and communication setups, are essential in this field.</p></li><br />
<li><h5 id="system-administrator">System administrator</h5><br />
<p>Another crucial beginning point for an incident responder is to learn<br />
how to manage resources inside your organization as well as user<br />
behavior. Understanding the potential damage that users, inadequate<br />
security setups, and ineffective IT policies and procedures can cause on<br />
your network can provide prospective candidates with insight into the<br />
human component of an incident.</p></li><br />
<li><h5 id="security-administrator">Security administrator</h5><br />
<p>In such a position, basic hacking skills, penetration testing, and<br />
intrusion detection are all learned, which are crucial incident<br />
responder skills when trying to replicate a breach or attack.<br />
Understanding the paths a cybercriminal will take when attempting to<br />
damage or obtain access to a system can greatly simplify the work of<br />
reverse engineering the incident.</p></li><br />
</ul><br />
<br />
=== Mid-Level Incident Response Positions ===<br />
<ul><br />
<li><h5<br />
id="computer-security-incident-response-team-csirt-engineer">Computer<br />
security incident response team (CSIRT) engineer</h5></li><br />
<li><h5 id="cyber-incident-responder">Cyber incident responder</h5></li><br />
<li><h5 id="incident-response-engineer">Incident response<br />
engineer</h5></li><br />
</ul><br />
<p>While each of these positions is different, they generally require<br />
very similar skills and characteristics in a candidate. At this level,<br />
personal characteristics such as problem solving, time management, and<br />
even presentation skills become more crucial as one’s career evolves<br />
into a management-facing role.</p><br />
<p>Technical skills include the ability to identify and minimize threats<br />
while maintaining communication with management and the rest of your<br />
team. Data analysis and evidence gathering become increasingly crucial,<br />
and the circumstances in which your services are deployed get more<br />
serious.</p><br />
Problem-solving skills are crucial at this level of incident<br />
response, and as the stakes rise, so does the pressure in each<br />
situation. At this level, programming abilities are essential since<br />
incident responders may be needed to reverse engineer malicious code or<br />
even create patches for vulnerable network applications or services. <ref name="coursera">Coursera, "10 Popular Cybersecurity Certifications [2022 Updated]". Available: https://www.coursera.org/articles/popular-cybersecurity-certifications [Accessed 28 April 2022].</ref><br />
<br />
===Senior-Level Incident Response Positions===<br />
<ul><br />
<li><h5 id="intrusion-detection-specialist">Intrusion detection<br />
specialist:</h5></li><br />
</ul><br />
<p>A CISSP certification might help a potential candidate in preparing<br />
for the profession. The role of an intrusion detection specialist is to<br />
find and stop any unwanted communications.</p><br />
<ul><br />
<li><h5 id="incident-manager">Incident manager:</h5></li><br />
</ul><br />
Expected to plan, oversee, manage, and supervise all incident<br />
response team actions. Is in charge of reporting all current events to<br />
senior management and stakeholders, as well as acting as the technical<br />
lead on active incidents for incident responders. Prepares threat and<br />
impact assessments and reports them known to management.<ref name="coursera"></ref><br />
<br />
==Certificates== <br />
There is a vast number of different certificates and the road map to<br />
being a certified professional could be very different<ref name="Coursera">Coursera, "10 Popular Cybersecurity Certifications [2022 Updated]," [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications. [Accessed 30 Apr 2022].</ref><br />
<ref name="NICCS">NICCS, "Cybersecurity Certifications," [Online]. Available: hhttps://niccs.cisa.gov/about-niccs/cybersecurity-certifications. [Accessed 30 Apr 2022].</ref> . One possible<br />
approach is to start with basic certificates from the different branches<br />
of service and move to more specific and demanding focused<br />
certification. Also, some jobs require certain clearances, either from<br />
industry, or from the government. One small selection of different<br />
possible certificates is brought out in following paragraphs.<br />
<br />
Security+ is a CompTIA certification that is considered a basic cert<br />
among cybersecurity professionals. It covers the topics of risk<br />
management and threat assessment.<br />
Network+ is also offered by CompTIA this certification (like the name<br />
implies) focuses on networking infrastructure and operations. It is<br />
considered a foundational certification.<br />
The Certified Information Systems Security Professional (CISSP) is a<br />
more advanced certification designed for cybersecurity professionals<br />
with at least five years of work experience. The certification covers<br />
topics such as architecture, engineering, and management.</p><br />
The Certified Ethical Hacker (CEH) certification is also considered a<br />
more advanced cert because it generally requires that applicants have<br />
multiple years of work experience. The goal of an ethical hacker<br />
certification is to be able to understand how cyber attacks unfold in<br />
order to improve threat assessment and mitigation skills.<ref name="cyberguide">Cybersecurity Guide, "How to become a cybersecurity specialist", [Online]. Available: https://cybersecurityguide.org/careers/security-specialist/. [Accessed 27 April 2022].</ref><br />
This is definitely not all, when one looks for more information, following link could be searched, to get more in depth knowledge about<br />
different possibilities. Hereby, with the help of this matrix a possible taxonomy of different 436 listed certificates in branches are<br />
presented.<ref name="Pauljeremy">"Cybersecurity Roadmap," [Online]. Available: https://pauljerimy.com/2020/10/12/scr-oct-2020-update/. [Accessed 30 Apr 2022].</ref><br />
<br />
[[File:analystimage5.png|1000px|thumb|Certificate matrix <ref>"Certification roadmap". Available at https://pauljerimy.com/security-certification-roadmap</ref>]]<br />
<br />
=== Communication and Network Security===<br />
Communication and network security covers the ability to secure<br />
communication channels and networks. Topics include secure and converges<br />
protocols, wireless networks, cellular networks, hardware operations<br />
(warranty and redundant power), and third-party connectivity. IP<br />
networking are also included in this domain.<br />
===Identity and Access Management===<br />
The identity and access management domain covers the attacks that<br />
target the human gateway to gain access to data. Other topics include<br />
ways to identify users with rights to access the information and<br />
servers. Identity and access management covers the topics of<br />
applications, Single sign-on authentication, privilege escalation,<br />
Kerberos, rule-based or risk-based access control, proofing and<br />
establishment of identity.<br />
===Security Architecture and Engineering===<br />
The security architecture and engineering domain covers important<br />
topics concerning security engineering plans, designs and principles,<br />
Topics include assessing and mitigating information system<br />
vulnerabilities, fundamental concepts of security models and security<br />
architectures in critical areas like access control. Cloud systems,<br />
cryptography, system infiltrations (ransomware, fault-injection and<br />
more) and virtualized systems are also covered in this domain.<br />
===Asset Security===<br />
The Asset Security domain deals with the issues related to the<br />
collection, storage, maintenance, retention and destruction of data. It<br />
also covers knowledge of different roles regarding data handling (owner,<br />
controller and custodian) as well as data protection methods and data<br />
states. Other topics include resource provision, asset classification<br />
and data lifecycle management.<br />
===Security and Risk Management===<br />
The security and risk management domain covers general on skills<br />
related to the implementation of user awareness programs as well as<br />
security procedures. Emphasis is also placed on risk management<br />
concerning the acquisition of new services, hardware and software<br />
(supply chain). Other skills include social engineering defense<br />
mechanisms.<br />
===Security Assessment and Testing===<br />
The security assessment and testing domain deals with all the<br />
techniques and tools used to find system vulnerabilities, weaknesses and<br />
potential areas of concern not addressed by security procedures and<br />
policies. Attack simulations, vulnerability assessment, compliance<br />
checks, and ethical disclosure also fall under this domain.<br />
===Software Security===<br />
The software development security domain deals with implementing<br />
software-based security protocols within environment for which the IT<br />
professional is responsible. Risk analysis, vulnerability identification<br />
and auditing of source codes are all covered in this subset. Additional<br />
topics include software-designed security, maturity models, development<br />
methodologies, open-source and third-party development security.<br />
===Security operations===<br />
The security operations domain covers topics ranging from<br />
investigations and digital forensic to detection and intrusion<br />
prevention tools, sandboxing and firewalls. Topics include user and<br />
entity behavior analytics, threat intelligence (threat hunting and<br />
threat feeds) log management, artifacts (mobile, computer and network),<br />
machine learning and AI-based tools, penetration testing, and<br />
exploitation development. These for sub-domains are lister here.</p><br />
<li>Forensics</li><br />
<li>Incident Handling</li><br />
<li>Penetration Testing</li><br />
<li>Exploitation</li><br />
<br />
==Education==<br />
The entry level monitoring specialist is hired by Estonian<br />
Information System Authority even if there is no formal IT education,<br />
but readiness to learn and moderate knowledge of different operation<br />
systems is enough to start the career. <ref name="cv">cv.ee, "SEIRESPETSIALIST - tule Eesti küberruumi valvuriks!". Available: https://www.cv.ee/en/vacancy/792782/riigi-infosusteemi-amet/seirespetsialist-tule-eesti-kuberruumi-valvuriks [Accessed 28 April 2022].</ref><br />
Nevertheless, like most other high qualification careers jobs falling<br />
under the cybersecurity specialist category require some form of formal<br />
education. However, since cybersecurity specialist jobs can fall across<br />
a wide spectrum of job descriptions and responsibilities, it is possible<br />
to obtain a specialist job after completing many levels of different<br />
computer related education.<br />
If one is looking for a cybersecurity related education, for example<br />
in EU, 137 courses/programs could be found that relate to keyword IT or<br />
cybersecurity. <ref name="enisa">ENISA (European Union Agency for Cybersecurity), "Cybersecurity Education-Cybersecurity Higher Education Database". Available: https://www.enisa.europa.eu/topics/cybersecurity-education/education-map/education-courses [Accessed 26 April 2022].</ref><br />
Also, there is a great amount of discussion, if cyber security<br />
professional should have a degree or would be certification just enough.<br />
One interesting table is produces by Franklin University that compares<br />
benefits and/or drawbacks of each type of credential.<br />
<ref name="franklin">Franklin University, "Is Getting a Master's Degree in Cyber Security Worth It?". Available: https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it [Accessed 28 April 2022].</ref><br />
[[File:analystimage7.png|700px|thumb|Comparison degree vs Certificate <ref>"Comparison Table". Available at https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</ref>]]<br />
Certifications are generally good for people with little practical<br />
experience because they are known quantities in the industry and can<br />
help you get your foot in the door. They set a minimum knowledge bar.<br />
But some certifications are viewed more favorably than others.<br />
Certifications with renewal requirements are viewed better by hiring<br />
managers, but they also more costly in the long run because of the need<br />
for continuing education. Certifications are also good for showing<br />
in-depth expertise in a specialization within cybersecurity. Depending<br />
on your career goals, it may be advantageous to have a master’s<br />
degree—which shows your breadth of knowledge, critical thinking and<br />
leadership skills—and a certificate—which shows specific skill<br />
competency.<ref name="franklin"></ref><br />
As IT (Cyber) Security is still a relatively young discipline,<br />
universities and colleges are still figuring out which is the best<br />
approach for their degrees. Study programmes and curricula in Cyber<br />
Security are different. In general, here are the duration of Cyber<br />
Security degrees:<br />
<ref name="studyportal">Studyportals, "Why You Should Study a Cyber Security Degree in 2022". Available: https://www.mastersportal.com/articles/2722/why-you-should-study-a-cyber-security-degree-in-2022.html [Accessed 28 April 2022].</ref><br />
<ul><br />
<li><p>Bachelor’s degrees in Cyber Security take 3 or 4 years in most<br />
countries.</p></li><br />
<li><p>Master’s courses in Cyber Security take between 1-2 years to<br />
complete.</p></li><br />
<li><p>PhD programmes in Cyber Security last 3-5 years. Some only take 1<br />
or 2 years, but they are less common.</p><br />
</li><br />
</ul><br />
<br />
Generalization could me made that on bachelor level the general<br />
knowledge about the cyber issues are obtained. On master level the<br />
specialization courses are taken and the person can choose more specific<br />
topics to study. It is on master level where strengths of the cyber<br />
specialist can be developed further and up-do date knowledge obtained in<br />
specifics. PhD is serious science and involves teaching, lot of<br />
scientific work and writing for publications.<br />
<br />
==Salary==<br />
<p>Even if the salary can be very different, compared to the skills and<br />
experience, an generalization can be made. Cyber Security professionals<br />
in CSIRT, and in other entities earn quite well, from the start. First,<br />
some comparison from the United States. The average CSIRT analyst salary<br />
in the USA is $97,500 per year or $50 per hour. Entry level positions<br />
start at $48,875 per year while most experienced workers make up to<br />
$135,373 per year.</p><br />
<p>https://www.talent.com/salary?job=csirt+analyst</p><br />
<p>There are multiple positions you can occupy in this field. They have<br />
in common great salaries and high demand for technical skills, attention<br />
to details, problem-solving mentality, and the ability to analyze risks.<br />
Here are the average annual salaries in the United States, according to<br />
Payscale:</p><br />
<p>https://www.payscale.com/</p><br />
<ul><br />
<li><p>Cryptographer – 100,000 USD</p></li><br />
<li><p>Information Security Officer – 91,000 USD</p></li><br />
<li><p>Security Assessor – 90,000 USD</p></li><br />
<li><p>Security Engineer – 88,000 USD</p></li><br />
<li><p>Penetration Tester – 81,000 USD</p></li><br />
<li><p>Forensics Expert – 71,000 USD</p></li><br />
<li><p>Security Administrator – 65,000 USD</p><br />
<p>https://www.mastersportal.com/articles/2722/why-you-should-study-a-cyber-security-degree-in-2022.html</p><br />
<p>When looking into salaries in Estonia, one can find that there is a<br />
discussion that private sector is taking a toll from the public sector,<br />
and that the salaries in important agencies, as Information System<br />
Authority loose their employees to the better paid positions in private<br />
sector.</p><br />
<p>https://digi.geenius.ee/rubriik/uudis/kui-palju-riigi-jaoks-olulised-it-tootajad-tegelikult-palka-saavad/<br />
https://tehnika.postimees.ee/6887428/riigi-it-tootajate-palgamaarad-kasvasid</p><br />
<p>But there is also a different view that average private sector worker<br />
could be hired as a top specialist in public sector and then the payment<br />
is higher. Nevertheless, it seems that the average payment in cyber<br />
security sector is any way higher that in other parts of the<br />
e-services.</p><br />
<p>https://digi.geenius.ee/rubriik/uudis/5000-eurostest-palkadest-it-tootajad-saavadki-palju-palka/</p></li><br />
</ul><br />
==SOC==<br />
<p>A SOC is a facility where an organization’s network, applications,<br />
and endpoints are monitored and defended. The term was adapted from<br />
network operations centers (NOCs), where large telecommunication or<br />
corporate networks are monitored. When network security became more of a<br />
concern, security teams were formed within the NOCs, and eventually spun<br />
off into larger organizations of their own as the responsibilities of<br />
security teams grew increasingly complex and specialized. The security<br />
staff working in a security operations center are often called the SOC<br />
team.</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<p>Functions of the SOC team include, but are not limited to:</p><br />
<ol type="1"><br />
<li>Taking inventory of resources, to get a better understanding of the<br />
structure they are protecting.</li><br />
<li>Maintanence of the system, by constantly making updates and adding<br />
safeguards.</li><br />
<li>Monitoring the network for abnormalities with special tools.</li><br />
<li>Threat analysis of new attacks and vulnerabilities.</li><br />
<li>Responding to attacks, by acting as “first responders”. The SOC team<br />
will shut down and/or isolate endpoints, deleting files and lowering the<br />
impact as fast as possible.</li><br />
<li>Recovery of system stability and lost data. This may be done using<br />
backups, restarting endpoints or reconfiguring systems.</li><br />
<li>Logging all actions on the system, to be later used for analysis or<br />
forensics after an attack.</li><br />
<li>Investigating the root cause of an attack.</li><br />
<li>Auditing their own actions, to be in line with regulations of the<br />
organization, industry or governing body.</li><br />
</ol><br />
<p>https://www.trellix.com/en-us/security-awareness/operations/what-is-soc.html</p><br />
==CSIRT==<br />
<p>A CSIRT is a group that responds to security incidents when they<br />
occur. Key responsibilities of a CSIRT include: <br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<ul><br />
===Creating and maintaining an incident response plan (IRP)===<br />
An incident response plan (IRP) is a set of written instructions for<br />
detecting, responding to and limiting the effects of an information<br />
security event. Incident response plans provide instructions for<br />
responding to many potential scenarios, including data breaches, denial<br />
of service/distributed denial of service attacks, firewall breaches,<br />
virus or malware outbreaks or insider threats. Without an incident<br />
response plan in place, organizations may either not detect the attack<br />
in the first place, or not follow proper protocol to contain the threat<br />
and recover from it when a breach is detected.<br />
<p>https://www.stratacore.com/incidentresponseplan</p></li><br />
===Investigating and analyzing incidents===<br />
CSIRTs are also involved in improvement activities. After major<br />
computer security incidents occur, or when incidents are not handled in<br />
a timely or effective manner, a CSIRT will generally perform a<br />
postmortem of the incident and its response. This postmortem will<br />
identify the strengths and weakness of the response effort. Such reviews<br />
can identify weaknesses and holes in systems, infrastructure defenses,<br />
or policies that allowed the incident to take place. It can also<br />
identify problems with communication channels, interfaces, and<br />
procedures that inhibited the efficient resolution of the reported<br />
problem.<br />
<p>https://www.cisa.gov/uscert/bsi/articles/best-practices/incident-management/defining-computer-security-incident-response-teams</p><br />
<br />
===Managing internal communications and updates during or immediately after incidents occur===<br />
===Communicating with employees, shareholders, customers, and the press about incidents as needed===<br />
<p>There are various services within the CSIRT Services Framework that<br />
address communications, as they relate to security operations and<br />
incident response services. Some of these include Information Security<br />
Incident Coordination, Crisis Management Support, Vulnerability<br />
Disclosure, Situational Awareness Communication, and Awareness Building,<br />
to name a few. Sharing information and communicating with the general<br />
public and/or your constituency is appropriate in many different<br />
scenarios. These can range from proactive communications to reactive<br />
communications. Each scenario may be unique, and careful consideration<br />
should be given to when to release information to the public and what<br />
information should be released.</p><br />
<br />
<p>https://resources.sei.cmu.edu/asset_files/Handbook/2021_002_001_651819.pdf</p><br />
<br />
===Remediating incidents===<br />
Threat remediation is a strong and capable tool for fighting the<br />
cyber security compromises. As the word ‘remedy’ suggests, remediation<br />
process involves the treatment of a security breach. With the<br />
remediation practices, your cyber security team is able to eliminate<br />
suspicious activities and malicious attacks in the form of malware,<br />
ransomware, phishing and such. Even if you ‘kill’ the suspicious<br />
activity, the attackers can remain in your systems. If you want to<br />
contaminate and end the problem for good, your remediation processes<br />
must involve the detection of the cause. <ref name="logsign">Logsign, "What-is-remediation-in-cyber-security". Available: https://www.logsign.com/blog/what-is-remediation-in-cyber-security/. [Accessed 28 Apr 2022].</ref><br />
<br />
===Recommending technology, policy, governance, and training changes after security incidents===<br />
After all these actions, the SCIRT must contribute to the development<br />
of better policies, practices and has to recommend improvements. They<br />
are not working in the vacuum and their work has to create new and<br />
better standards for cyber security. <ref name="exabeam">Exabeam, "CSIRT". Available: https://www.exabeam.com/incident-response/csirt/ [Accessed 28 APr 2022].</ref><br />
<br />
==CERT==<br />
<p>The term “computer emergency response team” was coined in 1988. In<br />
response to the Morris worm attack that impacted thousands of servers on<br />
the Internet, DARPA funded the formation of the Computer Emergency<br />
Response Team Coordination Center (CERT-CC) at Carnegie Mellon<br />
University. The goal of CERT-CC was to help protect the internet by<br />
collecting and disseminating information on critical security<br />
vulnerabilities. Several other countries formed similar centers using<br />
the same acronym (despite threats of legal action by Carnegie Mellon for<br />
trademark infringement). Now the term CERT refers to any emergency<br />
response team that deals with cyber threats. Many people use CERT-CC<br />
interchangeably with CSIRT, though the charter of a CERT is information<br />
sharing in order to help other response teams respond to threats against<br />
their own infrastructure.</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<p>In general, the designation of CERT is helpful in applying real-world<br />
solutions to various cybersecurity problems. They may be government<br />
contractors or employees of a major corporation. For example, the U.S.<br />
Computer Emergency Readiness Team (US-CERT) operates under the U.S.<br />
Department of Homeland Security.</p><br />
<p>https://www.techopedia.com/definition/31003/computer-emergency-response-team-cert</p><br />
<p>In Estonia CERT is designated as CERT-EE. It was established in 2006,<br />
as an organization responsible for the management of security incidents<br />
in .ee computer networks. It is also a national contact point for<br />
international co-operation in the field of IT security.</p><br />
<p>https://www.ria.ee/en/cyber-security/cert-ee.html</p><br />
===Difference between SOC/CSIRT/CERT===<br />
<p>How CSIRTs differ from CERTs and SOCs There are overlapping<br />
responsibilities between a community emergency response team (CERT),<br />
computer security incident response team (CSIRT), and security<br />
operations center (SOC). To add to this confusion, frequently, the terms<br />
CERT and CSIRT are used interchangeably, despite the important<br />
differences.</p><br />
<figure><br />
<img src="images/image3.png" alt="Overlapping in images/image3.png" /><br />
<figcaption aria-hidden="true">Overlapping in<br />
images/image3.png</figcaption><br />
</figure><br />
==Understand the primary roles and characteristics of a CERT, CSIRT, and SOC.==<br />
<p>So, using strict definitions, a CERT collects and disseminates<br />
security information, typically for the benefit of a country or an<br />
industry. A CSIRT is a cross-functional team that responds to incidents<br />
on behalf of a country or an organization. A SOC is where a country or<br />
organization monitors and defends its network, servers, applications,<br />
and endpoints.</p><br />
<figure><br />
<img src="images/image4.png" alt="table of explanation images/image4" /><br />
<figcaption aria-hidden="true">table of explanation<br />
images/image4</figcaption><br />
</figure><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
==Future==<br />
<p>And the Cyber security problem is only getting bigger. According to a<br />
report published by Accenture, the number of cyber security breaches<br />
increased by 11 percent from 2017 to 2018. The cost of such breaches is<br />
astronomical–about $600 billion worldwide, according to the Economic<br />
Impact of Cybercrime report.</p><br />
<p>https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me</p><br />
<p>Job projections for cybersecurity are staggering. The Bureau of Labor<br />
Statistics in US predicts that careers in the cybersecurity field will<br />
grow by 32% by 2028. That makes cybersecurity one of the top 10<br />
fastest-growing jobs in the country. In the United States alone, jobs<br />
for Information Security Analysts are expected to grow by 15% by<br />
2024.</p><br />
<p>https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</p><br />
<p>Most likely this trend is also similar in other countries.</p><br />
<p>When checking Estonian job portals, there is a constant need for<br />
people for cyber security related positions. Also, linkedin search gives<br />
approximately 30 vacancies immediately. There are banks, logistics<br />
companies, e-shops, and software producers.</p><br />
<p>https://ee.linkedin.com/jobs/cyber-security-jobs?countryRedirected=1&amp;position=1&amp;pageNum=0</p><br />
<p>Trends that affect companies create need for constant cyber security<br />
services. Increasing number of home/remote offices require secure<br />
corporate networks and security of remote devices. One example is from<br />
this year, when sloppy remote desktop set-up paralyzed systems of 17<br />
companies.</p><br />
<p>https://www.aripaev.ee/uudised/2022/04/20/ria-lohakas-kaugtoolaua-seadistus-halvas-martsis-vahemalt-17-juhul-ettevotete-it-susteemid</p><br />
<p>Also, no service can exists without robust infrastructure - servers,<br />
databases, applications. As all previously mentioned devices and<br />
services are at constant scanning and surveillance. So, the breach<br />
detection and immediate action demands 24/7 services. Even if lot of<br />
things could be automated, there is a need for human specialists (at<br />
least, at the moment). Third growing field is also a forensic<br />
investigation, as every attack must be investigated in order to be ready<br />
to repel next attacks. So data recovery and evidence collection is<br />
another important field of work that need skilled and professional<br />
workers.</p><br />
<p>Even, if the specifics of the entity, be it CSIRT, CERT or SOC, are<br />
different, the fundamentals of the work are the same. Professional<br />
knowledge of the networks, operational systems, hardware, scripting, and<br />
several other wider IT related knowledge is needed. As there is no<br />
single way to reach to it, every single person can find one’s strongest<br />
sides and develop them with knowledge of weaker side, in order to know,<br />
when to as for help.</p><br />
<br />
</body><br />
</html></div>Mavaldhttps://wiki.itcollege.ee/index.php?title=Hiring_a_Cyber_Security_Incident_Analyst&diff=142206Hiring a Cyber Security Incident Analyst2022-05-01T15:32:40Z<p>Mavald: /* Education */</p>
<hr />
<div>==A Cyber Security Incident Analyst==<br />
<br />
[[File:image1.png|600px|thumb|Job advertisement <ref>"Job Advertisement". Available at https://www.projectpeople.com/jobs/</ref>]]<br />
===Cyber security incident analyst in SOC/CSIRT/CERT===<br />
This article delves into the job title of Cyber Security Incident<br />
Analyst and provides an overview of the acronyms SOC/CSIRT/CERT. A brief<br />
history of the job is discussed here, as well as a possible career path,<br />
education, experience, and other characteristics required for work in<br />
computer security-related organizations. The article also provides a<br />
brief history of SOC/CSIRT/CERT, as well as a comparison of their<br />
differences and similarities.<br />
===Cyber Security Incident Analyst Skill Set===<br />
What skill set is expected from the Cyber Security Incident Analyst? Below written lines are taken from the same job advertisement depicted<br />
on the left side of this article:<br />
As a Security Incident Analyst your responsibilities will include:<br />
<ul><br />
<li>Continuous monitoring of security tooling</li><br />
<li>Performing regular and ad-hoc vulnerability assessments</li><br />
<li>Carrying out ‘spot checks’</li><br />
<li>Reporting vulnerabilities to the PVG via the alerts system</li><br />
<li>Maintaining and documenting logging systems</li><br />
<li>Developing centralized logging, reporting and intelligence<br />
platforms</li><br />
<li>‘Light touch’ penetration testing with open source tooling<br />
(Metasploit)</li><br />
</ul><br />
Knowledge &amp; Experience required:<br />
<ul><br />
<li>SOC, CSIRT or CERT operational environment experience</li><br />
<li>Windows / Linux experience</li><br />
<li>TCP /IP networking protocol knowledge</li><br />
<li>Experience reviewing and analyzing Security Events from various<br />
monitoring and logging sources</li><br />
<li>Experience in website and web application security assessment or<br />
penetration testing</li><br />
<li>Experience of using Metasploit</li><br />
<li>Scripting knowledge using BASH, Python, Perl, Ruby</li><br />
<li>Skills in Host and Network Forensics</li><br />
</ul><br />
As one can see the description of the duties is wide and also the<br />
knowledge and experience that is required is noteworthy. So, where to<br />
start to find out the way to get this kind of knowledge and<br />
expertize.<br />
===Possible career path===<br />
Next part of the paper is aiming to depict a possible ways, how to<br />
develop oneself, and move along the career pathway in cybersecurity<br />
field. Topics of development, education, experience and certification<br />
are covered.<br />
[[File:analystimage2.png|1000px|thumb|Career path <ref>"Possible Career Path". Available at https://www.cyberseek.org/pathway.html</ref>]]<br />
<br />
===Junior/Senior===<br />
Start with an entry-level job in IT. Hands-on experience is often the<br />
most effective way to prepare for certification exams. Start<br />
accumulating work experience with an entry-level role as a cybersecurity<br />
analyst. Many cybersecurity professionals start off in more general IT<br />
roles. The skills, practices, and technologies you’ll use as a<br />
cybersecurity professional will continue to evolve along with computer<br />
and network technology. The desire to learn, ability to problem solve,<br />
and attention to detail will serve you well in this field. Other, more<br />
technical skills and technologies to learn include:<ref name="certification">Popular Cyber Security Certificates [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications [Accessed 25 April 2022].</ref><br />
<br />
====SIEM tools (security information and event management)====<br />
Security Information and Event Management (SIEM) is a set of tools<br />
and services offering a holistic view of an organization’s information<br />
security. SIEM works by combining two technologies:<br />
<li>Security information management (SIM), which collects data from log<br />
files for analysis and reports on security threats and events, and</li><br />
<li>security event management (SEM), which conducts real-time system<br />
monitoring, notifies network admins about important issues and<br />
establishes correlations between security events. There are a number of<br />
security information and event management solutions on the market.<br />
ArcSight ESM, IBM QRadar and Splunk are among the most popular. <ref name="SIEM">Application security, SIEM [Online]. Available: https://www.imperva.com/learn/application-security/siem/. [Accessed 27 4 2022].</ref></li><br />
<br />
====Firewalls, Intrusion Detection Systems (IDS), and Intrusion Prevention Systems(IPS)====<br />
Firewalls can be two types, hardware and software firewalls. Software<br />
firewall is a firewall that is installed on a computer or server, and<br />
tasked with network security. It works with a wide variety of other<br />
technology security solutions to provide more robust and cohesive<br />
security for enterprises of all sizes. When a software firewall is<br />
installed on a server, it opens up like an umbrella of protection over<br />
all other computers connected to the network. It is able to monitor both<br />
incoming and outgoing traffic for potential risk or suspicious user<br />
behavior, and also makes setting security policies much easier, faster<br />
and more flexible. Hardware firewall is positioned between the network<br />
and devices, allowing traffic to funnel through the firewall for a close<br />
inspection and analysis. A hardware firewall, a term often<br />
interchangeable with network or next-generation firewall, protects the<br />
network gateways for an enterprise. Hardware firewall is physical<br />
hardware, installed between network elements and connected devices, and<br />
is tasked with filtering traffic for cyber threat to the network or<br />
devices. Filtering out unauthorized or suspicious users based on traffic<br />
analysis is one of the biggest benefits of hardware firewall. <ref name="sangfor">Sangfor, "What is Software Firewall? Difference between Hardware Firewall and Software Firewall, [Online]. Available: https://www.sangfor.com/blog/cybersecurity/what-is-software-firewall-difference-between-hardware-firewall-and-software-firewall [Accessed 26 4 2022].</ref><br />
<br />
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems<br />
(IPS) are both parts of the network infrastructure. IDS/IPS compare<br />
network packets to a cyberthreat database containing known signatures of<br />
cyberattacks — and flag any matching packets. IDS doesn’t alter the<br />
network packets in any way, whereas IPS prevents the packet from<br />
delivery based on the contents of the packet, much like how a firewall<br />
prevents traffic by IP address. <ref name="Varonis">Varonis, "What is Software Firewall? IDS vs. IPS: What is the Difference?, [Online]. Available: https://www.varonis.com/blog/ids-vs-ips [Accessed 26 4 2022].</ref><br />
<br />
====Digital forensics====<br />
Digital forensics is a branch of forensic science that focuses on<br />
identifying, acquiring, processing, analyzing, and reporting on data<br />
stored electronically. Electronic evidence is a component of almost all<br />
criminal activities and digital forensics support is crucial for law<br />
enforcement investigations. Electronic evidence can be collected from a<br />
wide array of sources, such as computers, smartphones, remote storage,<br />
unmanned aerial systems, shipborne equipment, and more.<ref name="interpol">Interpol, "Digital forensics". Available: https://www.interpol.int/How-we-work/Innovation/Digital-forensics. [Accessed 28 4 2022].</ref> <br />
Investigative process of digital forensics can be divided into several stages. There are four major stages: preservation, collection,<br />
examination, and analysis. All these four stages need a deep understanding of computers, technology across a broad spectrum, and cybersecurity principles and<br />
practices, a working knowledge of computers, networks, and coding, in-depth investigative abilities, critical-thinking skills and analytical talent the ability to effectively communicate and work with a<br />
wide range of people. <ref name="ecpi">"Digital forensics". Available: https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me. [Accessed 26 4 2022].</ref><br />
<br />
====Mobile device management====<br />
Mobile device management (MDM) is software that allows IT<br />
administrators to control, secure and enforce policies on smartphones,<br />
tablets and other endpoints. Mobile device management software emerged<br />
in the early 2000s as a way to control and secure the personal digital<br />
assistants and smartphones that business workers began to use. The<br />
consumer smartphone boom that started with the launch of the Apple<br />
iPhone in 2007 led to the bring your own device (BYOD) trend, which<br />
fueled further interest in MDM.<ref name="techtarget">Techtarget, "Mobile Device Management". Available: https://www.techtarget.com/searchmobilecomputing/definition/mobile-device-management [Accessed 27 4 2022].</ref><br />
<br />
====Data management====<br />
Sometimes the data management is neglected, but this part has a<br />
crucial role when learning for good cyber security practices. Majority<br />
of cyber security programs include a special courses on data management.<br />
Data management is a method of organizing and maintaining data processes<br />
that are required in almost every business operations. The benefits of<br />
data management can be found accounting, statistics, logistics planning<br />
and other disciplines including corporate computing.<ref name="GlobalUni">Global Universities, "MSc Data Management and Cyber Security". Available: https://globaluniversities.in/msc-data-management-cyber-security. [Accessed 26 Apr 2022].</ref><br />
Data governance (and management) play a fundamental role in<br />
protecting an organization’s data. Ensuring that the right people have<br />
the right access and that appropriate security controls are in place to<br />
protect each system or service, based on the criticality or sensitivity<br />
of the data sets these contain. <ref name="CyberMagazine">Cyber Security Magazine, "The Role of Data Governance in Cybersecurity". Available: https://cybersecurity-magazine.com/the-role-of-data-governance-in-cybersecurity/?utm_source=rss&amp;utm_medium=rss&amp;utm_campaign=the-role-of-data-governance-in-cybersecurity. [Accessed 26 Apr 2022].</ref><br />
<br />
====Application security development====<br />
Application security describes security measures at the application<br />
level that aim to prevent data or code within the app from being stolen<br />
or hijacked. It encompasses the security considerations that happen<br />
during application development and design, but it also involves systems<br />
and approaches to protect apps after they get deployed. Application<br />
security may include hardware, software, and procedures that identify or<br />
minimize security vulnerabilities.<ref name="vmware">VmWare, "What is application security?". Available: https://www.vmware.com/topics/glossary/content/application-security.html [Accessed 28 April 2022].</ref><br />
Application security development is important to ensure that your<br />
application is free from coding errors and bugs. And controls the risk<br />
and helps safeguard against security vulnerabilities. Application<br />
security development is the process of making applications more secure<br />
by finding and fixing security vulnerabilities. This is often done by<br />
enforcing software security best practices and using application<br />
security testing tools. <br />
<ref name="perforce">Perforce, "Application Security Development Best Practices". Available: https://www.perforce.com/blog/kw/application-security-development-best-practices. [Accessed 28 April 2022].</ref><br />
<br />
====Audit and compliance knowledge====<br />
A cyber security audit is designed to be a comprehensive review and<br />
analysis of your business’s IT infrastructure. It identifies threats and<br />
vulnerabilities, exposing weaknesses and high-risk practices.<br />
Regulations such as the EU GDPR (General Data Protection Regulation) can<br />
impose hefty penalties in the event of a breach that results in<br />
exploited data. A cyber security audit will help mitigate the<br />
consequences of a breach and demonstrate that your organization has<br />
taken the necessary steps to protect client and company data. <ref name="cyforsecure">Cyfor Secure, "What is a Cyber Security Audit and how can it help your organisation?". Available: https://cyforsecure.co.uk/services/cyber-assessment/cyber-security-audit/. [Accessed 28 April 2022].</ref><br />
<br />
Cybersecurity compliance is the organizational risk management method<br />
aligned with pre-defined security measures &amp; controls on how data<br />
confidentiality is ensured by its administrative procedures.<ref name="nordlayer">NordLayer, "Cybersecurity compliance: Everything you need to know". Available: https://nordlayer.com/blog/cybersecurity-compliance-everything-you-need-to-know/. [Accessed 28 April 2022].</ref><br />
All needed skills are developed through courses and certification.<br />
<br />
===Entry-Level Incident Response Positions===<br />
It is not always possible to advance to the position of incident<br />
responder in a straight line. Many professionals advance from entry- to<br />
mid-level positions before becoming a real incident responder or a<br />
member of a computer emergency response team (CERT).<br /><br />
These are some examples: <ref name="Infosec">Infosec, "Incident Responder Career Roadmap: From Entry Level to Executive". Available: https://resources.infosecinstitute.com/topic/incident-responder-career-roadmap-entry-level-executive/ [Accessed 28 April 2022].</ref></p><br />
<ul><br />
<li><h5 id="network-administrator">Network administrator</h5><br />
<p>This position’s experience will help potential incident responders<br />
develop networking skills. Attention to detail, as well as the ability<br />
to sift through system configurations, site layouts, and general network<br />
and communication setups, are essential in this field.</p></li><br />
<li><h5 id="system-administrator">System administrator</h5><br />
<p>Another crucial beginning point for an incident responder is to learn<br />
how to manage resources inside your organization as well as user<br />
behavior. Understanding the potential damage that users, inadequate<br />
security setups, and ineffective IT policies and procedures can cause on<br />
your network can provide prospective candidates with insight into the<br />
human component of an incident.</p></li><br />
<li><h5 id="security-administrator">Security administrator</h5><br />
<p>In such a position, basic hacking skills, penetration testing, and<br />
intrusion detection are all learned, which are crucial incident<br />
responder skills when trying to replicate a breach or attack.<br />
Understanding the paths a cybercriminal will take when attempting to<br />
damage or obtain access to a system can greatly simplify the work of<br />
reverse engineering the incident.</p></li><br />
</ul><br />
<br />
=== Mid-Level Incident Response Positions ===<br />
<ul><br />
<li><h5<br />
id="computer-security-incident-response-team-csirt-engineer">Computer<br />
security incident response team (CSIRT) engineer</h5></li><br />
<li><h5 id="cyber-incident-responder">Cyber incident responder</h5></li><br />
<li><h5 id="incident-response-engineer">Incident response<br />
engineer</h5></li><br />
</ul><br />
<p>While each of these positions is different, they generally require<br />
very similar skills and characteristics in a candidate. At this level,<br />
personal characteristics such as problem solving, time management, and<br />
even presentation skills become more crucial as one’s career evolves<br />
into a management-facing role.</p><br />
<p>Technical skills include the ability to identify and minimize threats<br />
while maintaining communication with management and the rest of your<br />
team. Data analysis and evidence gathering become increasingly crucial,<br />
and the circumstances in which your services are deployed get more<br />
serious.</p><br />
Problem-solving skills are crucial at this level of incident<br />
response, and as the stakes rise, so does the pressure in each<br />
situation. At this level, programming abilities are essential since<br />
incident responders may be needed to reverse engineer malicious code or<br />
even create patches for vulnerable network applications or services. <ref name="coursera">Coursera, "10 Popular Cybersecurity Certifications [2022 Updated]". Available: https://www.coursera.org/articles/popular-cybersecurity-certifications [Accessed 28 April 2022].</ref><br />
<br />
===Senior-Level Incident Response Positions===<br />
<ul><br />
<li><h5 id="intrusion-detection-specialist">Intrusion detection<br />
specialist:</h5></li><br />
</ul><br />
<p>A CISSP certification might help a potential candidate in preparing<br />
for the profession. The role of an intrusion detection specialist is to<br />
find and stop any unwanted communications.</p><br />
<ul><br />
<li><h5 id="incident-manager">Incident manager:</h5></li><br />
</ul><br />
Expected to plan, oversee, manage, and supervise all incident<br />
response team actions. Is in charge of reporting all current events to<br />
senior management and stakeholders, as well as acting as the technical<br />
lead on active incidents for incident responders. Prepares threat and<br />
impact assessments and reports them known to management.<ref name="coursera"></ref><br />
<br />
==Certificates== <br />
There is a vast number of different certificates and the road map to<br />
being a certified professional could be very different<ref name="Coursera">Coursera, "10 Popular Cybersecurity Certifications [2022 Updated]," [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications. [Accessed 30 Apr 2022].</ref><br />
<ref name="NICCS">NICCS, "Cybersecurity Certifications," [Online]. Available: hhttps://niccs.cisa.gov/about-niccs/cybersecurity-certifications. [Accessed 30 Apr 2022].</ref> . One possible<br />
approach is to start with basic certificates from the different branches<br />
of service and move to more specific and demanding focused<br />
certification. Also, some jobs require certain clearances, either from<br />
industry, or from the government. One small selection of different<br />
possible certificates is brought out in following paragraphs.<br />
<br />
Security+ is a CompTIA certification that is considered a basic cert<br />
among cybersecurity professionals. It covers the topics of risk<br />
management and threat assessment.<br />
Network+ is also offered by CompTIA this certification (like the name<br />
implies) focuses on networking infrastructure and operations. It is<br />
considered a foundational certification.<br />
The Certified Information Systems Security Professional (CISSP) is a<br />
more advanced certification designed for cybersecurity professionals<br />
with at least five years of work experience. The certification covers<br />
topics such as architecture, engineering, and management.</p><br />
The Certified Ethical Hacker (CEH) certification is also considered a<br />
more advanced cert because it generally requires that applicants have<br />
multiple years of work experience. The goal of an ethical hacker<br />
certification is to be able to understand how cyber attacks unfold in<br />
order to improve threat assessment and mitigation skills.<ref name="cyberguide">Cybersecurity Guide, "How to become a cybersecurity specialist", [Online]. Available: https://cybersecurityguide.org/careers/security-specialist/. [Accessed 27 April 2022].</ref><br />
This is definitely not all, when one looks for more information, following link could be searched, to get more in depth knowledge about<br />
different possibilities. Hereby, with the help of this matrix a possible taxonomy of different 436 listed certificates in branches are<br />
presented.<ref name="Pauljeremy">"Cybersecurity Roadmap," [Online]. Available: https://pauljerimy.com/2020/10/12/scr-oct-2020-update/. [Accessed 30 Apr 2022].</ref><br />
<br />
[[File:analystimage5.png|1000px|thumb|Certificate matrix <ref>"Certification roadmap". Available at https://pauljerimy.com/security-certification-roadmap</ref>]]<br />
<br />
=== Communication and Network Security===<br />
Communication and network security covers the ability to secure<br />
communication channels and networks. Topics include secure and converges<br />
protocols, wireless networks, cellular networks, hardware operations<br />
(warranty and redundant power), and third-party connectivity. IP<br />
networking are also included in this domain.<br />
===Identity and Access Management===<br />
The identity and access management domain covers the attacks that<br />
target the human gateway to gain access to data. Other topics include<br />
ways to identify users with rights to access the information and<br />
servers. Identity and access management covers the topics of<br />
applications, Single sign-on authentication, privilege escalation,<br />
Kerberos, rule-based or risk-based access control, proofing and<br />
establishment of identity.<br />
===Security Architecture and Engineering===<br />
The security architecture and engineering domain covers important<br />
topics concerning security engineering plans, designs and principles,<br />
Topics include assessing and mitigating information system<br />
vulnerabilities, fundamental concepts of security models and security<br />
architectures in critical areas like access control. Cloud systems,<br />
cryptography, system infiltrations (ransomware, fault-injection and<br />
more) and virtualized systems are also covered in this domain.<br />
===Asset Security===<br />
The Asset Security domain deals with the issues related to the<br />
collection, storage, maintenance, retention and destruction of data. It<br />
also covers knowledge of different roles regarding data handling (owner,<br />
controller and custodian) as well as data protection methods and data<br />
states. Other topics include resource provision, asset classification<br />
and data lifecycle management.<br />
===Security and Risk Management===<br />
The security and risk management domain covers general on skills<br />
related to the implementation of user awareness programs as well as<br />
security procedures. Emphasis is also placed on risk management<br />
concerning the acquisition of new services, hardware and software<br />
(supply chain). Other skills include social engineering defense<br />
mechanisms.<br />
===Security Assessment and Testing===<br />
The security assessment and testing domain deals with all the<br />
techniques and tools used to find system vulnerabilities, weaknesses and<br />
potential areas of concern not addressed by security procedures and<br />
policies. Attack simulations, vulnerability assessment, compliance<br />
checks, and ethical disclosure also fall under this domain.<br />
===Software Security===<br />
The software development security domain deals with implementing<br />
software-based security protocols within environment for which the IT<br />
professional is responsible. Risk analysis, vulnerability identification<br />
and auditing of source codes are all covered in this subset. Additional<br />
topics include software-designed security, maturity models, development<br />
methodologies, open-source and third-party development security.<br />
===Security operations===<br />
The security operations domain covers topics ranging from<br />
investigations and digital forensic to detection and intrusion<br />
prevention tools, sandboxing and firewalls. Topics include user and<br />
entity behavior analytics, threat intelligence (threat hunting and<br />
threat feeds) log management, artifacts (mobile, computer and network),<br />
machine learning and AI-based tools, penetration testing, and<br />
exploitation development. These for sub-domains are lister here.</p><br />
<li>Forensics</li><br />
<li>Incident Handling</li><br />
<li>Penetration Testing</li><br />
<li>Exploitation</li><br />
<br />
==Education==<br />
The entry level monitoring specialist is hired by Estonian<br />
Information System Authority even if there is no formal IT education,<br />
but readiness to learn and moderate knowledge of different operation<br />
systems is enough to start the career. <ref name="cv">cv.ee, "SEIRESPETSIALIST - tule Eesti küberruumi valvuriks!". Available: https://www.cv.ee/en/vacancy/792782/riigi-infosusteemi-amet/seirespetsialist-tule-eesti-kuberruumi-valvuriks [Accessed 28 April 2022].</ref><br />
Nevertheless, like most other high qualification careers jobs falling<br />
under the cybersecurity specialist category require some form of formal<br />
education. However, since cybersecurity specialist jobs can fall across<br />
a wide spectrum of job descriptions and responsibilities, it is possible<br />
to obtain a specialist job after completing many levels of different<br />
computer related education.<br />
If one is looking for a cybersecurity related education, for example<br />
in EU, 137 courses/programs could be found that relate to keyword IT or<br />
cybersecurity. <ref name="enisa">ENISA (European Union Agency for Cybersecurity), "Cybersecurity Education-Cybersecurity Higher Education Database". Available: https://www.enisa.europa.eu/topics/cybersecurity-education/education-map/education-courses [Accessed 26 April 2022].</ref><br />
Also, there is a great amount of discussion, if cyber security<br />
professional should have a degree or would be certification just enough.<br />
One interesting table is produces by Franklin University that compares<br />
benefits and/or drawbacks of each type of credential.<br />
<ref name="franklin">Franklin University, "Is Getting a Master's Degree in Cyber Security Worth It?". Available: https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it [Accessed 28 April 2022].</ref><br />
[[File:analystimage7.png|700px|thumb|Comparison degree vs Certificate <ref>"Comparison Table". Available at https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</ref>]]<br />
Certifications are generally good for people with little practical<br />
experience because they are known quantities in the industry and can<br />
help you get your foot in the door. They set a minimum knowledge bar.<br />
But some certifications are viewed more favorably than others.<br />
Certifications with renewal requirements are viewed better by hiring<br />
managers, but they also more costly in the long run because of the need<br />
for continuing education. Certifications are also good for showing<br />
in-depth expertise in a specialization within cybersecurity. Depending<br />
on your career goals, it may be advantageous to have a master’s<br />
degree—which shows your breadth of knowledge, critical thinking and<br />
leadership skills—and a certificate—which shows specific skill<br />
competency.<ref name="franklin"></ref><br />
<br />
As IT (Cyber) Security is still a relatively young discipline,<br />
universities and colleges are still figuring out which is the best<br />
approach for their degrees. Study programmes and curricula in Cyber<br />
Security are different. In general, here are the duration of Cyber<br />
Security degrees:<br />
<ref name="studyportal">Studyportals, "Why You Should Study a Cyber Security Degree in 2022". Available: https://www.mastersportal.com/articles/2722/why-you-should-study-a-cyber-security-degree-in-2022.html [Accessed 28 April 2022].</ref><br />
<br />
<br />
<ul><br />
<li><p>Bachelor’s degrees in Cyber Security take 3 or 4 years in most<br />
countries.</p></li><br />
<li><p>Master’s courses in Cyber Security take between 1-2 years to<br />
complete.</p></li><br />
<li><p>PhD programmes in Cyber Security last 3-5 years. Some only take 1<br />
or 2 years, but they are less common.</p><br />
</li><br />
</ul><br />
<br />
Generalization could me made that on bachelor level the general<br />
knowledge about the cyber issues are obtained. On master level the<br />
specialization courses are taken and the person can choose more specific<br />
topics to study. It is on master level where strengths of the cyber<br />
specialist can be developed further and up-do date knowledge obtained in<br />
specifics. PhD is serious science and involves teaching, lot of<br />
scientific work and writing for publications.<br />
<br />
==Salary==<br />
<p>Even if the salary can be very different, compared to the skills and<br />
experience, an generalization can be made. Cyber Security professionals<br />
in CSIRT, and in other entities earn quite well, from the start. First,<br />
some comparison from the United States. The average CSIRT analyst salary<br />
in the USA is $97,500 per year or $50 per hour. Entry level positions<br />
start at $48,875 per year while most experienced workers make up to<br />
$135,373 per year.</p><br />
<p>https://www.talent.com/salary?job=csirt+analyst</p><br />
<p>There are multiple positions you can occupy in this field. They have<br />
in common great salaries and high demand for technical skills, attention<br />
to details, problem-solving mentality, and the ability to analyze risks.<br />
Here are the average annual salaries in the United States, according to<br />
Payscale:</p><br />
<p>https://www.payscale.com/</p><br />
<ul><br />
<li><p>Cryptographer – 100,000 USD</p></li><br />
<li><p>Information Security Officer – 91,000 USD</p></li><br />
<li><p>Security Assessor – 90,000 USD</p></li><br />
<li><p>Security Engineer – 88,000 USD</p></li><br />
<li><p>Penetration Tester – 81,000 USD</p></li><br />
<li><p>Forensics Expert – 71,000 USD</p></li><br />
<li><p>Security Administrator – 65,000 USD</p><br />
<p>https://www.mastersportal.com/articles/2722/why-you-should-study-a-cyber-security-degree-in-2022.html</p><br />
<p>When looking into salaries in Estonia, one can find that there is a<br />
discussion that private sector is taking a toll from the public sector,<br />
and that the salaries in important agencies, as Information System<br />
Authority loose their employees to the better paid positions in private<br />
sector.</p><br />
<p>https://digi.geenius.ee/rubriik/uudis/kui-palju-riigi-jaoks-olulised-it-tootajad-tegelikult-palka-saavad/<br />
https://tehnika.postimees.ee/6887428/riigi-it-tootajate-palgamaarad-kasvasid</p><br />
<p>But there is also a different view that average private sector worker<br />
could be hired as a top specialist in public sector and then the payment<br />
is higher. Nevertheless, it seems that the average payment in cyber<br />
security sector is any way higher that in other parts of the<br />
e-services.</p><br />
<p>https://digi.geenius.ee/rubriik/uudis/5000-eurostest-palkadest-it-tootajad-saavadki-palju-palka/</p></li><br />
</ul><br />
==SOC==<br />
<p>A SOC is a facility where an organization’s network, applications,<br />
and endpoints are monitored and defended. The term was adapted from<br />
network operations centers (NOCs), where large telecommunication or<br />
corporate networks are monitored. When network security became more of a<br />
concern, security teams were formed within the NOCs, and eventually spun<br />
off into larger organizations of their own as the responsibilities of<br />
security teams grew increasingly complex and specialized. The security<br />
staff working in a security operations center are often called the SOC<br />
team.</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<p>Functions of the SOC team include, but are not limited to:</p><br />
<ol type="1"><br />
<li>Taking inventory of resources, to get a better understanding of the<br />
structure they are protecting.</li><br />
<li>Maintanence of the system, by constantly making updates and adding<br />
safeguards.</li><br />
<li>Monitoring the network for abnormalities with special tools.</li><br />
<li>Threat analysis of new attacks and vulnerabilities.</li><br />
<li>Responding to attacks, by acting as “first responders”. The SOC team<br />
will shut down and/or isolate endpoints, deleting files and lowering the<br />
impact as fast as possible.</li><br />
<li>Recovery of system stability and lost data. This may be done using<br />
backups, restarting endpoints or reconfiguring systems.</li><br />
<li>Logging all actions on the system, to be later used for analysis or<br />
forensics after an attack.</li><br />
<li>Investigating the root cause of an attack.</li><br />
<li>Auditing their own actions, to be in line with regulations of the<br />
organization, industry or governing body.</li><br />
</ol><br />
<p>https://www.trellix.com/en-us/security-awareness/operations/what-is-soc.html</p><br />
==CSIRT==<br />
<p>A CSIRT is a group that responds to security incidents when they<br />
occur. Key responsibilities of a CSIRT include: <br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<ul><br />
===Creating and maintaining an incident response plan (IRP)===<br />
An incident response plan (IRP) is a set of written instructions for<br />
detecting, responding to and limiting the effects of an information<br />
security event. Incident response plans provide instructions for<br />
responding to many potential scenarios, including data breaches, denial<br />
of service/distributed denial of service attacks, firewall breaches,<br />
virus or malware outbreaks or insider threats. Without an incident<br />
response plan in place, organizations may either not detect the attack<br />
in the first place, or not follow proper protocol to contain the threat<br />
and recover from it when a breach is detected.<br />
<p>https://www.stratacore.com/incidentresponseplan</p></li><br />
===Investigating and analyzing incidents===<br />
CSIRTs are also involved in improvement activities. After major<br />
computer security incidents occur, or when incidents are not handled in<br />
a timely or effective manner, a CSIRT will generally perform a<br />
postmortem of the incident and its response. This postmortem will<br />
identify the strengths and weakness of the response effort. Such reviews<br />
can identify weaknesses and holes in systems, infrastructure defenses,<br />
or policies that allowed the incident to take place. It can also<br />
identify problems with communication channels, interfaces, and<br />
procedures that inhibited the efficient resolution of the reported<br />
problem.<br />
<p>https://www.cisa.gov/uscert/bsi/articles/best-practices/incident-management/defining-computer-security-incident-response-teams</p><br />
<br />
===Managing internal communications and updates during or immediately after incidents occur===<br />
===Communicating with employees, shareholders, customers, and the press about incidents as needed===<br />
<p>There are various services within the CSIRT Services Framework that<br />
address communications, as they relate to security operations and<br />
incident response services. Some of these include Information Security<br />
Incident Coordination, Crisis Management Support, Vulnerability<br />
Disclosure, Situational Awareness Communication, and Awareness Building,<br />
to name a few. Sharing information and communicating with the general<br />
public and/or your constituency is appropriate in many different<br />
scenarios. These can range from proactive communications to reactive<br />
communications. Each scenario may be unique, and careful consideration<br />
should be given to when to release information to the public and what<br />
information should be released.</p><br />
<br />
<p>https://resources.sei.cmu.edu/asset_files/Handbook/2021_002_001_651819.pdf</p><br />
<br />
===Remediating incidents===<br />
Threat remediation is a strong and capable tool for fighting the<br />
cyber security compromises. As the word ‘remedy’ suggests, remediation<br />
process involves the treatment of a security breach. With the<br />
remediation practices, your cyber security team is able to eliminate<br />
suspicious activities and malicious attacks in the form of malware,<br />
ransomware, phishing and such. Even if you ‘kill’ the suspicious<br />
activity, the attackers can remain in your systems. If you want to<br />
contaminate and end the problem for good, your remediation processes<br />
must involve the detection of the cause. <ref name="logsign">Logsign, "What-is-remediation-in-cyber-security". Available: https://www.logsign.com/blog/what-is-remediation-in-cyber-security/. [Accessed 28 Apr 2022].</ref><br />
<br />
===Recommending technology, policy, governance, and training changes after security incidents===<br />
After all these actions, the SCIRT must contribute to the development<br />
of better policies, practices and has to recommend improvements. They<br />
are not working in the vacuum and their work has to create new and<br />
better standards for cyber security. <ref name="exabeam">Exabeam, "CSIRT". Available: https://www.exabeam.com/incident-response/csirt/ [Accessed 28 APr 2022].</ref><br />
<br />
==CERT==<br />
<p>The term “computer emergency response team” was coined in 1988. In<br />
response to the Morris worm attack that impacted thousands of servers on<br />
the Internet, DARPA funded the formation of the Computer Emergency<br />
Response Team Coordination Center (CERT-CC) at Carnegie Mellon<br />
University. The goal of CERT-CC was to help protect the internet by<br />
collecting and disseminating information on critical security<br />
vulnerabilities. Several other countries formed similar centers using<br />
the same acronym (despite threats of legal action by Carnegie Mellon for<br />
trademark infringement). Now the term CERT refers to any emergency<br />
response team that deals with cyber threats. Many people use CERT-CC<br />
interchangeably with CSIRT, though the charter of a CERT is information<br />
sharing in order to help other response teams respond to threats against<br />
their own infrastructure.</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<p>In general, the designation of CERT is helpful in applying real-world<br />
solutions to various cybersecurity problems. They may be government<br />
contractors or employees of a major corporation. For example, the U.S.<br />
Computer Emergency Readiness Team (US-CERT) operates under the U.S.<br />
Department of Homeland Security.</p><br />
<p>https://www.techopedia.com/definition/31003/computer-emergency-response-team-cert</p><br />
<p>In Estonia CERT is designated as CERT-EE. It was established in 2006,<br />
as an organization responsible for the management of security incidents<br />
in .ee computer networks. It is also a national contact point for<br />
international co-operation in the field of IT security.</p><br />
<p>https://www.ria.ee/en/cyber-security/cert-ee.html</p><br />
===Difference between SOC/CSIRT/CERT===<br />
<p>How CSIRTs differ from CERTs and SOCs There are overlapping<br />
responsibilities between a community emergency response team (CERT),<br />
computer security incident response team (CSIRT), and security<br />
operations center (SOC). To add to this confusion, frequently, the terms<br />
CERT and CSIRT are used interchangeably, despite the important<br />
differences.</p><br />
<figure><br />
<img src="images/image3.png" alt="Overlapping in images/image3.png" /><br />
<figcaption aria-hidden="true">Overlapping in<br />
images/image3.png</figcaption><br />
</figure><br />
==Understand the primary roles and characteristics of a CERT, CSIRT, and SOC.==<br />
<p>So, using strict definitions, a CERT collects and disseminates<br />
security information, typically for the benefit of a country or an<br />
industry. A CSIRT is a cross-functional team that responds to incidents<br />
on behalf of a country or an organization. A SOC is where a country or<br />
organization monitors and defends its network, servers, applications,<br />
and endpoints.</p><br />
<figure><br />
<img src="images/image4.png" alt="table of explanation images/image4" /><br />
<figcaption aria-hidden="true">table of explanation<br />
images/image4</figcaption><br />
</figure><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
==Future==<br />
<p>And the Cyber security problem is only getting bigger. According to a<br />
report published by Accenture, the number of cyber security breaches<br />
increased by 11 percent from 2017 to 2018. The cost of such breaches is<br />
astronomical–about $600 billion worldwide, according to the Economic<br />
Impact of Cybercrime report.</p><br />
<p>https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me</p><br />
<p>Job projections for cybersecurity are staggering. The Bureau of Labor<br />
Statistics in US predicts that careers in the cybersecurity field will<br />
grow by 32% by 2028. That makes cybersecurity one of the top 10<br />
fastest-growing jobs in the country. In the United States alone, jobs<br />
for Information Security Analysts are expected to grow by 15% by<br />
2024.</p><br />
<p>https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</p><br />
<p>Most likely this trend is also similar in other countries.</p><br />
<p>When checking Estonian job portals, there is a constant need for<br />
people for cyber security related positions. Also, linkedin search gives<br />
approximately 30 vacancies immediately. There are banks, logistics<br />
companies, e-shops, and software producers.</p><br />
<p>https://ee.linkedin.com/jobs/cyber-security-jobs?countryRedirected=1&amp;position=1&amp;pageNum=0</p><br />
<p>Trends that affect companies create need for constant cyber security<br />
services. Increasing number of home/remote offices require secure<br />
corporate networks and security of remote devices. One example is from<br />
this year, when sloppy remote desktop set-up paralyzed systems of 17<br />
companies.</p><br />
<p>https://www.aripaev.ee/uudised/2022/04/20/ria-lohakas-kaugtoolaua-seadistus-halvas-martsis-vahemalt-17-juhul-ettevotete-it-susteemid</p><br />
<p>Also, no service can exists without robust infrastructure - servers,<br />
databases, applications. As all previously mentioned devices and<br />
services are at constant scanning and surveillance. So, the breach<br />
detection and immediate action demands 24/7 services. Even if lot of<br />
things could be automated, there is a need for human specialists (at<br />
least, at the moment). Third growing field is also a forensic<br />
investigation, as every attack must be investigated in order to be ready<br />
to repel next attacks. So data recovery and evidence collection is<br />
another important field of work that need skilled and professional<br />
workers.</p><br />
<p>Even, if the specifics of the entity, be it CSIRT, CERT or SOC, are<br />
different, the fundamentals of the work are the same. Professional<br />
knowledge of the networks, operational systems, hardware, scripting, and<br />
several other wider IT related knowledge is needed. As there is no<br />
single way to reach to it, every single person can find one’s strongest<br />
sides and develop them with knowledge of weaker side, in order to know,<br />
when to as for help.</p><br />
<br />
</body><br />
</html></div>Mavaldhttps://wiki.itcollege.ee/index.php?title=Hiring_a_Cyber_Security_Incident_Analyst&diff=142197Hiring a Cyber Security Incident Analyst2022-05-01T15:18:31Z<p>Mavald: /* Entry-Level Incident Response Positions */</p>
<hr />
<div>==A Cyber Security Incident Analyst==<br />
<br />
[[File:image1.png|600px|thumb|Job advertisement <ref>"Job Advertisement". Available at https://www.projectpeople.com/jobs/</ref>]]<br />
===Cyber security incident analyst in SOC/CSIRT/CERT===<br />
This article delves into the job title of Cyber Security Incident<br />
Analyst and provides an overview of the acronyms SOC/CSIRT/CERT. A brief<br />
history of the job is discussed here, as well as a possible career path,<br />
education, experience, and other characteristics required for work in<br />
computer security-related organizations. The article also provides a<br />
brief history of SOC/CSIRT/CERT, as well as a comparison of their<br />
differences and similarities.<br />
===Cyber Security Incident Analyst Skill Set===<br />
What skill set is expected from the Cyber Security Incident Analyst? Below written lines are taken from the same job advertisement depicted<br />
on the left side of this article:<br />
As a Security Incident Analyst your responsibilities will include:<br />
<ul><br />
<li>Continuous monitoring of security tooling</li><br />
<li>Performing regular and ad-hoc vulnerability assessments</li><br />
<li>Carrying out ‘spot checks’</li><br />
<li>Reporting vulnerabilities to the PVG via the alerts system</li><br />
<li>Maintaining and documenting logging systems</li><br />
<li>Developing centralized logging, reporting and intelligence<br />
platforms</li><br />
<li>‘Light touch’ penetration testing with open source tooling<br />
(Metasploit)</li><br />
</ul><br />
Knowledge &amp; Experience required:<br />
<ul><br />
<li>SOC, CSIRT or CERT operational environment experience</li><br />
<li>Windows / Linux experience</li><br />
<li>TCP /IP networking protocol knowledge</li><br />
<li>Experience reviewing and analyzing Security Events from various<br />
monitoring and logging sources</li><br />
<li>Experience in website and web application security assessment or<br />
penetration testing</li><br />
<li>Experience of using Metasploit</li><br />
<li>Scripting knowledge using BASH, Python, Perl, Ruby</li><br />
<li>Skills in Host and Network Forensics</li><br />
</ul><br />
As one can see the description of the duties is wide and also the<br />
knowledge and experience that is required is noteworthy. So, where to<br />
start to find out the way to get this kind of knowledge and<br />
expertize.<br />
===Possible career path===<br />
Next part of the paper is aiming to depict a possible ways, how to<br />
develop oneself, and move along the career pathway in cybersecurity<br />
field. Topics of development, education, experience and certification<br />
are covered.<br />
[[File:analystimage2.png|1000px|thumb|Career path <ref>"Possible Career Path". Available at https://www.cyberseek.org/pathway.html</ref>]]<br />
<br />
===Junior/Senior===<br />
Start with an entry-level job in IT. Hands-on experience is often the<br />
most effective way to prepare for certification exams. Start<br />
accumulating work experience with an entry-level role as a cybersecurity<br />
analyst. Many cybersecurity professionals start off in more general IT<br />
roles. The skills, practices, and technologies you’ll use as a<br />
cybersecurity professional will continue to evolve along with computer<br />
and network technology. The desire to learn, ability to problem solve,<br />
and attention to detail will serve you well in this field. Other, more<br />
technical skills and technologies to learn include:<ref name="certification">Popular Cyber Security Certificates [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications [Accessed 25 April 2022].</ref><br />
<br />
====SIEM tools (security information and event management)====<br />
Security Information and Event Management (SIEM) is a set of tools<br />
and services offering a holistic view of an organization’s information<br />
security. SIEM works by combining two technologies:<br />
<li>Security information management (SIM), which collects data from log<br />
files for analysis and reports on security threats and events, and</li><br />
<li>security event management (SEM), which conducts real-time system<br />
monitoring, notifies network admins about important issues and<br />
establishes correlations between security events. There are a number of<br />
security information and event management solutions on the market.<br />
ArcSight ESM, IBM QRadar and Splunk are among the most popular. <ref name="SIEM">Application security, SIEM [Online]. Available: https://www.imperva.com/learn/application-security/siem/. [Accessed 27 4 2022].</ref></li><br />
<br />
====Firewalls, Intrusion Detection Systems (IDS), and Intrusion Prevention Systems(IPS)====<br />
Firewalls can be two types, hardware and software firewalls. Software<br />
firewall is a firewall that is installed on a computer or server, and<br />
tasked with network security. It works with a wide variety of other<br />
technology security solutions to provide more robust and cohesive<br />
security for enterprises of all sizes. When a software firewall is<br />
installed on a server, it opens up like an umbrella of protection over<br />
all other computers connected to the network. It is able to monitor both<br />
incoming and outgoing traffic for potential risk or suspicious user<br />
behavior, and also makes setting security policies much easier, faster<br />
and more flexible. Hardware firewall is positioned between the network<br />
and devices, allowing traffic to funnel through the firewall for a close<br />
inspection and analysis. A hardware firewall, a term often<br />
interchangeable with network or next-generation firewall, protects the<br />
network gateways for an enterprise. Hardware firewall is physical<br />
hardware, installed between network elements and connected devices, and<br />
is tasked with filtering traffic for cyber threat to the network or<br />
devices. Filtering out unauthorized or suspicious users based on traffic<br />
analysis is one of the biggest benefits of hardware firewall. <ref name="sangfor">Sangfor, "What is Software Firewall? Difference between Hardware Firewall and Software Firewall, [Online]. Available: https://www.sangfor.com/blog/cybersecurity/what-is-software-firewall-difference-between-hardware-firewall-and-software-firewall [Accessed 26 4 2022].</ref><br />
<br />
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems<br />
(IPS) are both parts of the network infrastructure. IDS/IPS compare<br />
network packets to a cyberthreat database containing known signatures of<br />
cyberattacks — and flag any matching packets. IDS doesn’t alter the<br />
network packets in any way, whereas IPS prevents the packet from<br />
delivery based on the contents of the packet, much like how a firewall<br />
prevents traffic by IP address. <ref name="Varonis">Varonis, "What is Software Firewall? IDS vs. IPS: What is the Difference?, [Online]. Available: https://www.varonis.com/blog/ids-vs-ips [Accessed 26 4 2022].</ref><br />
<br />
====Digital forensics====<br />
Digital forensics is a branch of forensic science that focuses on<br />
identifying, acquiring, processing, analyzing, and reporting on data<br />
stored electronically. Electronic evidence is a component of almost all<br />
criminal activities and digital forensics support is crucial for law<br />
enforcement investigations. Electronic evidence can be collected from a<br />
wide array of sources, such as computers, smartphones, remote storage,<br />
unmanned aerial systems, shipborne equipment, and more.<ref name="interpol">Interpol, "Digital forensics". Available: https://www.interpol.int/How-we-work/Innovation/Digital-forensics. [Accessed 28 4 2022].</ref> <br />
Investigative process of digital forensics can be divided into several stages. There are four major stages: preservation, collection,<br />
examination, and analysis. All these four stages need a deep understanding of computers, technology across a broad spectrum, and cybersecurity principles and<br />
practices, a working knowledge of computers, networks, and coding, in-depth investigative abilities, critical-thinking skills and analytical talent the ability to effectively communicate and work with a<br />
wide range of people. <ref name="ecpi">"Digital forensics". Available: https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me. [Accessed 26 4 2022].</ref><br />
<br />
====Mobile device management====<br />
Mobile device management (MDM) is software that allows IT<br />
administrators to control, secure and enforce policies on smartphones,<br />
tablets and other endpoints. Mobile device management software emerged<br />
in the early 2000s as a way to control and secure the personal digital<br />
assistants and smartphones that business workers began to use. The<br />
consumer smartphone boom that started with the launch of the Apple<br />
iPhone in 2007 led to the bring your own device (BYOD) trend, which<br />
fueled further interest in MDM.<ref name="techtarget">Techtarget, "Mobile Device Management". Available: https://www.techtarget.com/searchmobilecomputing/definition/mobile-device-management [Accessed 27 4 2022].</ref><br />
<br />
====Data management====<br />
Sometimes the data management is neglected, but this part has a<br />
crucial role when learning for good cyber security practices. Majority<br />
of cyber security programs include a special courses on data management.<br />
Data management is a method of organizing and maintaining data processes<br />
that are required in almost every business operations. The benefits of<br />
data management can be found accounting, statistics, logistics planning<br />
and other disciplines including corporate computing.<ref name="GlobalUni">Global Universities, "MSc Data Management and Cyber Security". Available: https://globaluniversities.in/msc-data-management-cyber-security. [Accessed 26 Apr 2022].</ref><br />
Data governance (and management) play a fundamental role in<br />
protecting an organization’s data. Ensuring that the right people have<br />
the right access and that appropriate security controls are in place to<br />
protect each system or service, based on the criticality or sensitivity<br />
of the data sets these contain. <ref name="CyberMagazine">Cyber Security Magazine, "The Role of Data Governance in Cybersecurity". Available: https://cybersecurity-magazine.com/the-role-of-data-governance-in-cybersecurity/?utm_source=rss&amp;utm_medium=rss&amp;utm_campaign=the-role-of-data-governance-in-cybersecurity. [Accessed 26 Apr 2022].</ref><br />
<br />
====Application security development====<br />
Application security describes security measures at the application<br />
level that aim to prevent data or code within the app from being stolen<br />
or hijacked. It encompasses the security considerations that happen<br />
during application development and design, but it also involves systems<br />
and approaches to protect apps after they get deployed. Application<br />
security may include hardware, software, and procedures that identify or<br />
minimize security vulnerabilities.<ref name="vmware">VmWare, "What is application security?". Available: https://www.vmware.com/topics/glossary/content/application-security.html [Accessed 28 April 2022].</ref><br />
Application security development is important to ensure that your<br />
application is free from coding errors and bugs. And controls the risk<br />
and helps safeguard against security vulnerabilities. Application<br />
security development is the process of making applications more secure<br />
by finding and fixing security vulnerabilities. This is often done by<br />
enforcing software security best practices and using application<br />
security testing tools. <br />
<ref name="perforce">Perforce, "Application Security Development Best Practices". Available: https://www.perforce.com/blog/kw/application-security-development-best-practices. [Accessed 28 April 2022].</ref><br />
<br />
====Audit and compliance knowledge====<br />
A cyber security audit is designed to be a comprehensive review and<br />
analysis of your business’s IT infrastructure. It identifies threats and<br />
vulnerabilities, exposing weaknesses and high-risk practices.<br />
Regulations such as the EU GDPR (General Data Protection Regulation) can<br />
impose hefty penalties in the event of a breach that results in<br />
exploited data. A cyber security audit will help mitigate the<br />
consequences of a breach and demonstrate that your organization has<br />
taken the necessary steps to protect client and company data. <ref name="cyforsecure">Cyfor Secure, "What is a Cyber Security Audit and how can it help your organisation?". Available: https://cyforsecure.co.uk/services/cyber-assessment/cyber-security-audit/. [Accessed 28 April 2022].</ref><br />
<br />
Cybersecurity compliance is the organizational risk management method<br />
aligned with pre-defined security measures &amp; controls on how data<br />
confidentiality is ensured by its administrative procedures.<ref name="nordlayer">NordLayer, "Cybersecurity compliance: Everything you need to know". Available: https://nordlayer.com/blog/cybersecurity-compliance-everything-you-need-to-know/. [Accessed 28 April 2022].</ref><br />
All needed skills are developed through courses and certification.<br />
<br />
===Entry-Level Incident Response Positions===<br />
It is not always possible to advance to the position of incident<br />
responder in a straight line. Many professionals advance from entry- to<br />
mid-level positions before becoming a real incident responder or a<br />
member of a computer emergency response team (CERT).<br /><br />
These are some examples: <ref name="Infosec">Infosec, "Incident Responder Career Roadmap: From Entry Level to Executive". Available: https://resources.infosecinstitute.com/topic/incident-responder-career-roadmap-entry-level-executive/ [Accessed 28 April 2022].</ref></p><br />
<ul><br />
<li><h5 id="network-administrator">Network administrator</h5><br />
<p>This position’s experience will help potential incident responders<br />
develop networking skills. Attention to detail, as well as the ability<br />
to sift through system configurations, site layouts, and general network<br />
and communication setups, are essential in this field.</p></li><br />
<li><h5 id="system-administrator">System administrator</h5><br />
<p>Another crucial beginning point for an incident responder is to learn<br />
how to manage resources inside your organization as well as user<br />
behavior. Understanding the potential damage that users, inadequate<br />
security setups, and ineffective IT policies and procedures can cause on<br />
your network can provide prospective candidates with insight into the<br />
human component of an incident.</p></li><br />
<li><h5 id="security-administrator">Security administrator</h5><br />
<p>In such a position, basic hacking skills, penetration testing, and<br />
intrusion detection are all learned, which are crucial incident<br />
responder skills when trying to replicate a breach or attack.<br />
Understanding the paths a cybercriminal will take when attempting to<br />
damage or obtain access to a system can greatly simplify the work of<br />
reverse engineering the incident.</p></li><br />
</ul><br />
<br />
=== Mid-Level Incident Response Positions ===<br />
<ul><br />
<li><h5<br />
id="computer-security-incident-response-team-csirt-engineer">Computer<br />
security incident response team (CSIRT) engineer</h5></li><br />
<li><h5 id="cyber-incident-responder">Cyber incident responder</h5></li><br />
<li><h5 id="incident-response-engineer">Incident response<br />
engineer</h5></li><br />
</ul><br />
<p>While each of these positions is different, they generally require<br />
very similar skills and characteristics in a candidate. At this level,<br />
personal characteristics such as problem solving, time management, and<br />
even presentation skills become more crucial as one’s career evolves<br />
into a management-facing role.</p><br />
<p>Technical skills include the ability to identify and minimize threats<br />
while maintaining communication with management and the rest of your<br />
team. Data analysis and evidence gathering become increasingly crucial,<br />
and the circumstances in which your services are deployed get more<br />
serious.</p><br />
Problem-solving skills are crucial at this level of incident<br />
response, and as the stakes rise, so does the pressure in each<br />
situation. At this level, programming abilities are essential since<br />
incident responders may be needed to reverse engineer malicious code or<br />
even create patches for vulnerable network applications or services. <ref name="coursera">Coursera, "10 Popular Cybersecurity Certifications [2022 Updated]". Available: https://www.coursera.org/articles/popular-cybersecurity-certifications [Accessed 28 April 2022].</ref><br />
<br />
===Senior-Level Incident Response Positions===<br />
<ul><br />
<li><h5 id="intrusion-detection-specialist">Intrusion detection<br />
specialist:</h5></li><br />
</ul><br />
<p>A CISSP certification might help a potential candidate in preparing<br />
for the profession. The role of an intrusion detection specialist is to<br />
find and stop any unwanted communications.</p><br />
<ul><br />
<li><h5 id="incident-manager">Incident manager:</h5></li><br />
</ul><br />
Expected to plan, oversee, manage, and supervise all incident<br />
response team actions. Is in charge of reporting all current events to<br />
senior management and stakeholders, as well as acting as the technical<br />
lead on active incidents for incident responders. Prepares threat and<br />
impact assessments and reports them known to management.<ref name="coursera"></ref><br />
<br />
==Certificates== <br />
There is a vast number of different certificates and the road map to<br />
being a certified professional could be very different<ref name="Coursera">Coursera, "10 Popular Cybersecurity Certifications [2022 Updated]," [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications. [Accessed 30 Apr 2022].</ref><br />
<ref name="NICCS">NICCS, "Cybersecurity Certifications," [Online]. Available: hhttps://niccs.cisa.gov/about-niccs/cybersecurity-certifications. [Accessed 30 Apr 2022].</ref> . One possible<br />
approach is to start with basic certificates from the different branches<br />
of service and move to more specific and demanding focused<br />
certification. Also, some jobs require certain clearances, either from<br />
industry, or from the government. One small selection of different<br />
possible certificates is brought out in following paragraphs.<br />
<br />
Security+ is a CompTIA certification that is considered a basic cert<br />
among cybersecurity professionals. It covers the topics of risk<br />
management and threat assessment.<br />
Network+ is also offered by CompTIA this certification (like the name<br />
implies) focuses on networking infrastructure and operations. It is<br />
considered a foundational certification.<br />
The Certified Information Systems Security Professional (CISSP) is a<br />
more advanced certification designed for cybersecurity professionals<br />
with at least five years of work experience. The certification covers<br />
topics such as architecture, engineering, and management.</p><br />
The Certified Ethical Hacker (CEH) certification is also considered a<br />
more advanced cert because it generally requires that applicants have<br />
multiple years of work experience. The goal of an ethical hacker<br />
certification is to be able to understand how cyber attacks unfold in<br />
order to improve threat assessment and mitigation skills.<ref name="cyberguide">Cybersecurity Guide, "How to become a cybersecurity specialist", [Online]. Available: https://cybersecurityguide.org/careers/security-specialist/. [Accessed 27 April 2022].</ref><br />
This is definitely not all, when one looks for more information, following link could be searched, to get more in depth knowledge about<br />
different possibilities. Hereby, with the help of this matrix a possible taxonomy of different 436 listed certificates in branches are<br />
presented.<ref name="Pauljeremy">"Cybersecurity Roadmap," [Online]. Available: https://pauljerimy.com/2020/10/12/scr-oct-2020-update/. [Accessed 30 Apr 2022].</ref><br />
<br />
[[File:analystimage5.png|1000px|thumb|Certificate matrix <ref>"Certification roadmap". Available at https://pauljerimy.com/security-certification-roadmap</ref>]]<br />
<br />
=== Communication and Network Security===<br />
Communication and network security covers the ability to secure<br />
communication channels and networks. Topics include secure and converges<br />
protocols, wireless networks, cellular networks, hardware operations<br />
(warranty and redundant power), and third-party connectivity. IP<br />
networking are also included in this domain.<br />
===Identity and Access Management===<br />
The identity and access management domain covers the attacks that<br />
target the human gateway to gain access to data. Other topics include<br />
ways to identify users with rights to access the information and<br />
servers. Identity and access management covers the topics of<br />
applications, Single sign-on authentication, privilege escalation,<br />
Kerberos, rule-based or risk-based access control, proofing and<br />
establishment of identity.<br />
===Security Architecture and Engineering===<br />
The security architecture and engineering domain covers important<br />
topics concerning security engineering plans, designs and principles,<br />
Topics include assessing and mitigating information system<br />
vulnerabilities, fundamental concepts of security models and security<br />
architectures in critical areas like access control. Cloud systems,<br />
cryptography, system infiltrations (ransomware, fault-injection and<br />
more) and virtualized systems are also covered in this domain.<br />
===Asset Security===<br />
The Asset Security domain deals with the issues related to the<br />
collection, storage, maintenance, retention and destruction of data. It<br />
also covers knowledge of different roles regarding data handling (owner,<br />
controller and custodian) as well as data protection methods and data<br />
states. Other topics include resource provision, asset classification<br />
and data lifecycle management.<br />
===Security and Risk Management===<br />
The security and risk management domain covers general on skills<br />
related to the implementation of user awareness programs as well as<br />
security procedures. Emphasis is also placed on risk management<br />
concerning the acquisition of new services, hardware and software<br />
(supply chain). Other skills include social engineering defense<br />
mechanisms.<br />
===Security Assessment and Testing===<br />
The security assessment and testing domain deals with all the<br />
techniques and tools used to find system vulnerabilities, weaknesses and<br />
potential areas of concern not addressed by security procedures and<br />
policies. Attack simulations, vulnerability assessment, compliance<br />
checks, and ethical disclosure also fall under this domain.<br />
===Software Security===<br />
The software development security domain deals with implementing<br />
software-based security protocols within environment for which the IT<br />
professional is responsible. Risk analysis, vulnerability identification<br />
and auditing of source codes are all covered in this subset. Additional<br />
topics include software-designed security, maturity models, development<br />
methodologies, open-source and third-party development security.<br />
===Security operations===<br />
The security operations domain covers topics ranging from<br />
investigations and digital forensic to detection and intrusion<br />
prevention tools, sandboxing and firewalls. Topics include user and<br />
entity behavior analytics, threat intelligence (threat hunting and<br />
threat feeds) log management, artifacts (mobile, computer and network),<br />
machine learning and AI-based tools, penetration testing, and<br />
exploitation development. These for sub-domains are lister here.</p><br />
<li>Forensics</li><br />
<li>Incident Handling</li><br />
<li>Penetration Testing</li><br />
<li>Exploitation</li><br />
<br />
==Education==<br />
<p>The entry level monitoring specialist is hired by Estonian<br />
Information System Authority even if there is no formal IT education,<br />
but readiness to learn and moderate knowledge of different operation<br />
systems is enough to start the career.</p><br />
<p>https://www.cv.ee/en/vacancy/792782/riigi-infosusteemi-amet/seirespetsialist-tule-eesti-kuberruumi-valvuriks</p><br />
<p>Nevertheless, like most other high qualification careers jobs falling<br />
under the cybersecurity specialist category require some form of formal<br />
education. However, since cybersecurity specialist jobs can fall across<br />
a wide spectrum of job descriptions and responsibilities, it is possible<br />
to obtain a specialist job after completing many levels of different<br />
computer related education.</p><br />
<p>If one is looking for a cybersecurity related education, for example<br />
in EU, 137 courses/programs could be found that relate to keyword IT or<br />
cybersecurity.</p><br />
<p>https://www.enisa.europa.eu/topics/cybersecurity-education/education-map/education-courses</p><br />
<p>Also, there is a great amount of discussion, if cuber security<br />
professional should have a degree or would be certification just enough.<br />
One interesting table is produces by Franklin University that compares<br />
benefits and/or drawbacks of each type of credential.</p><br />
<figure><br />
<img src="images/image11.png" alt="Comparison MSc vs certificate" /><br />
<figcaption aria-hidden="true">Comparison MSc vs<br />
certificate</figcaption><br />
</figure><br />
<p>Certifications are generally good for people with little practical<br />
experience because they are known quantities in the industry and can<br />
help you get your foot in the door. They set a minimum knowledge bar.<br />
But some certifications are viewed more favorably than others.<br />
Certifications with renewal requirements are viewed better by hiring<br />
managers, but they also more costly in the long run because of the need<br />
for continuing education. Certifications are also good for showing<br />
in-depth expertise in a specialization within cybersecurity. Depending<br />
on your career goals, it may be advantageous to have a master’s<br />
degree—which shows your breadth of knowledge, critical thinking and<br />
leadership skills—and a certificate—which shows specific skill<br />
competency.</p><br />
<p>https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</p><br />
<p>As IT (Cyber) Security is still a relatively young discipline,<br />
universities and colleges are still figuring out which is the best<br />
approach for their degrees. Study programmes and curricula in Cyber<br />
Security are different. In general, here are the duration of Cyber<br />
Security degrees:</p><br />
<ul><br />
<li><p>Bachelor’s degrees in Cyber Security take 3 or 4 years in most<br />
countries.</p></li><br />
<li><p>Master’s courses in Cyber Security take between 1-2 years to<br />
complete.</p></li><br />
<li><p>PhD programmes in Cyber Security last 3-5 years. Some only take 1<br />
or 2 years, but they are less common.</p><br />
<p>https://www.mastersportal.com/articles/2722/why-you-should-study-a-cyber-security-degree-in-2022.html</p></li><br />
</ul><br />
<p>Generalization could me made that on bachelor level the general<br />
knowledge about the cyber issues are obtained. On master level the<br />
specialization courses are taken and the person can choose more specific<br />
topics to study. It is on master level where strengths of the cyber<br />
specialist can be developed further and up-do date knowledge obtained in<br />
specifics. PhD is serious science and involves teaching, lot of<br />
scientific work and writing for publications.</p><br />
==Salary==<br />
<p>Even if the salary can be very different, compared to the skills and<br />
experience, an generalization can be made. Cyber Security professionals<br />
in CSIRT, and in other entities earn quite well, from the start. First,<br />
some comparison from the United States. The average CSIRT analyst salary<br />
in the USA is $97,500 per year or $50 per hour. Entry level positions<br />
start at $48,875 per year while most experienced workers make up to<br />
$135,373 per year.</p><br />
<p>https://www.talent.com/salary?job=csirt+analyst</p><br />
<p>There are multiple positions you can occupy in this field. They have<br />
in common great salaries and high demand for technical skills, attention<br />
to details, problem-solving mentality, and the ability to analyze risks.<br />
Here are the average annual salaries in the United States, according to<br />
Payscale:</p><br />
<p>https://www.payscale.com/</p><br />
<ul><br />
<li><p>Cryptographer – 100,000 USD</p></li><br />
<li><p>Information Security Officer – 91,000 USD</p></li><br />
<li><p>Security Assessor – 90,000 USD</p></li><br />
<li><p>Security Engineer – 88,000 USD</p></li><br />
<li><p>Penetration Tester – 81,000 USD</p></li><br />
<li><p>Forensics Expert – 71,000 USD</p></li><br />
<li><p>Security Administrator – 65,000 USD</p><br />
<p>https://www.mastersportal.com/articles/2722/why-you-should-study-a-cyber-security-degree-in-2022.html</p><br />
<p>When looking into salaries in Estonia, one can find that there is a<br />
discussion that private sector is taking a toll from the public sector,<br />
and that the salaries in important agencies, as Information System<br />
Authority loose their employees to the better paid positions in private<br />
sector.</p><br />
<p>https://digi.geenius.ee/rubriik/uudis/kui-palju-riigi-jaoks-olulised-it-tootajad-tegelikult-palka-saavad/<br />
https://tehnika.postimees.ee/6887428/riigi-it-tootajate-palgamaarad-kasvasid</p><br />
<p>But there is also a different view that average private sector worker<br />
could be hired as a top specialist in public sector and then the payment<br />
is higher. Nevertheless, it seems that the average payment in cyber<br />
security sector is any way higher that in other parts of the<br />
e-services.</p><br />
<p>https://digi.geenius.ee/rubriik/uudis/5000-eurostest-palkadest-it-tootajad-saavadki-palju-palka/</p></li><br />
</ul><br />
==SOC==<br />
<p>A SOC is a facility where an organization’s network, applications,<br />
and endpoints are monitored and defended. The term was adapted from<br />
network operations centers (NOCs), where large telecommunication or<br />
corporate networks are monitored. When network security became more of a<br />
concern, security teams were formed within the NOCs, and eventually spun<br />
off into larger organizations of their own as the responsibilities of<br />
security teams grew increasingly complex and specialized. The security<br />
staff working in a security operations center are often called the SOC<br />
team.</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<p>Functions of the SOC team include, but are not limited to:</p><br />
<ol type="1"><br />
<li>Taking inventory of resources, to get a better understanding of the<br />
structure they are protecting.</li><br />
<li>Maintanence of the system, by constantly making updates and adding<br />
safeguards.</li><br />
<li>Monitoring the network for abnormalities with special tools.</li><br />
<li>Threat analysis of new attacks and vulnerabilities.</li><br />
<li>Responding to attacks, by acting as “first responders”. The SOC team<br />
will shut down and/or isolate endpoints, deleting files and lowering the<br />
impact as fast as possible.</li><br />
<li>Recovery of system stability and lost data. This may be done using<br />
backups, restarting endpoints or reconfiguring systems.</li><br />
<li>Logging all actions on the system, to be later used for analysis or<br />
forensics after an attack.</li><br />
<li>Investigating the root cause of an attack.</li><br />
<li>Auditing their own actions, to be in line with regulations of the<br />
organization, industry or governing body.</li><br />
</ol><br />
<p>https://www.trellix.com/en-us/security-awareness/operations/what-is-soc.html</p><br />
==CSIRT==<br />
<p>A CSIRT is a group that responds to security incidents when they<br />
occur. Key responsibilities of a CSIRT include: <br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<ul><br />
===Creating and maintaining an incident response plan (IRP)===<br />
An incident response plan (IRP) is a set of written instructions for<br />
detecting, responding to and limiting the effects of an information<br />
security event. Incident response plans provide instructions for<br />
responding to many potential scenarios, including data breaches, denial<br />
of service/distributed denial of service attacks, firewall breaches,<br />
virus or malware outbreaks or insider threats. Without an incident<br />
response plan in place, organizations may either not detect the attack<br />
in the first place, or not follow proper protocol to contain the threat<br />
and recover from it when a breach is detected.<br />
<p>https://www.stratacore.com/incidentresponseplan</p></li><br />
===Investigating and analyzing incidents===<br />
CSIRTs are also involved in improvement activities. After major<br />
computer security incidents occur, or when incidents are not handled in<br />
a timely or effective manner, a CSIRT will generally perform a<br />
postmortem of the incident and its response. This postmortem will<br />
identify the strengths and weakness of the response effort. Such reviews<br />
can identify weaknesses and holes in systems, infrastructure defenses,<br />
or policies that allowed the incident to take place. It can also<br />
identify problems with communication channels, interfaces, and<br />
procedures that inhibited the efficient resolution of the reported<br />
problem.<br />
<p>https://www.cisa.gov/uscert/bsi/articles/best-practices/incident-management/defining-computer-security-incident-response-teams</p><br />
<br />
===Managing internal communications and updates during or immediately after incidents occur===<br />
===Communicating with employees, shareholders, customers, and the press about incidents as needed===<br />
<p>There are various services within the CSIRT Services Framework that<br />
address communications, as they relate to security operations and<br />
incident response services. Some of these include Information Security<br />
Incident Coordination, Crisis Management Support, Vulnerability<br />
Disclosure, Situational Awareness Communication, and Awareness Building,<br />
to name a few. Sharing information and communicating with the general<br />
public and/or your constituency is appropriate in many different<br />
scenarios. These can range from proactive communications to reactive<br />
communications. Each scenario may be unique, and careful consideration<br />
should be given to when to release information to the public and what<br />
information should be released.</p><br />
<br />
<p>https://resources.sei.cmu.edu/asset_files/Handbook/2021_002_001_651819.pdf</p><br />
<br />
===Remediating incidents===<br />
Threat remediation is a strong and capable tool for fighting the<br />
cyber security compromises. As the word ‘remedy’ suggests, remediation<br />
process involves the treatment of a security breach. With the<br />
remediation practices, your cyber security team is able to eliminate<br />
suspicious activities and malicious attacks in the form of malware,<br />
ransomware, phishing and such. Even if you ‘kill’ the suspicious<br />
activity, the attackers can remain in your systems. If you want to<br />
contaminate and end the problem for good, your remediation processes<br />
must involve the detection of the cause. <ref name="logsign">Logsign, "What-is-remediation-in-cyber-security". Available: https://www.logsign.com/blog/what-is-remediation-in-cyber-security/. [Accessed 28 Apr 2022].</ref><br />
<br />
===Recommending technology, policy, governance, and training changes after security incidents===<br />
After all these actions, the SCIRT must contribute to the development<br />
of better policies, practices and has to recommend improvements. They<br />
are not working in the vacuum and their work has to create new and<br />
better standards for cyber security. <ref name="exabeam">Exabeam, "CSIRT". Available: https://www.exabeam.com/incident-response/csirt/ [Accessed 28 APr 2022].</ref><br />
<br />
==CERT==<br />
<p>The term “computer emergency response team” was coined in 1988. In<br />
response to the Morris worm attack that impacted thousands of servers on<br />
the Internet, DARPA funded the formation of the Computer Emergency<br />
Response Team Coordination Center (CERT-CC) at Carnegie Mellon<br />
University. The goal of CERT-CC was to help protect the internet by<br />
collecting and disseminating information on critical security<br />
vulnerabilities. Several other countries formed similar centers using<br />
the same acronym (despite threats of legal action by Carnegie Mellon for<br />
trademark infringement). Now the term CERT refers to any emergency<br />
response team that deals with cyber threats. Many people use CERT-CC<br />
interchangeably with CSIRT, though the charter of a CERT is information<br />
sharing in order to help other response teams respond to threats against<br />
their own infrastructure.</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<p>In general, the designation of CERT is helpful in applying real-world<br />
solutions to various cybersecurity problems. They may be government<br />
contractors or employees of a major corporation. For example, the U.S.<br />
Computer Emergency Readiness Team (US-CERT) operates under the U.S.<br />
Department of Homeland Security.</p><br />
<p>https://www.techopedia.com/definition/31003/computer-emergency-response-team-cert</p><br />
<p>In Estonia CERT is designated as CERT-EE. It was established in 2006,<br />
as an organization responsible for the management of security incidents<br />
in .ee computer networks. It is also a national contact point for<br />
international co-operation in the field of IT security.</p><br />
<p>https://www.ria.ee/en/cyber-security/cert-ee.html</p><br />
===Difference between SOC/CSIRT/CERT===<br />
<p>How CSIRTs differ from CERTs and SOCs There are overlapping<br />
responsibilities between a community emergency response team (CERT),<br />
computer security incident response team (CSIRT), and security<br />
operations center (SOC). To add to this confusion, frequently, the terms<br />
CERT and CSIRT are used interchangeably, despite the important<br />
differences.</p><br />
<figure><br />
<img src="images/image3.png" alt="Overlapping in images/image3.png" /><br />
<figcaption aria-hidden="true">Overlapping in<br />
images/image3.png</figcaption><br />
</figure><br />
==Understand the primary roles and characteristics of a CERT, CSIRT, and SOC.==<br />
<p>So, using strict definitions, a CERT collects and disseminates<br />
security information, typically for the benefit of a country or an<br />
industry. A CSIRT is a cross-functional team that responds to incidents<br />
on behalf of a country or an organization. A SOC is where a country or<br />
organization monitors and defends its network, servers, applications,<br />
and endpoints.</p><br />
<figure><br />
<img src="images/image4.png" alt="table of explanation images/image4" /><br />
<figcaption aria-hidden="true">table of explanation<br />
images/image4</figcaption><br />
</figure><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
==Future==<br />
<p>And the Cyber security problem is only getting bigger. According to a<br />
report published by Accenture, the number of cyber security breaches<br />
increased by 11 percent from 2017 to 2018. The cost of such breaches is<br />
astronomical–about $600 billion worldwide, according to the Economic<br />
Impact of Cybercrime report.</p><br />
<p>https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me</p><br />
<p>Job projections for cybersecurity are staggering. The Bureau of Labor<br />
Statistics in US predicts that careers in the cybersecurity field will<br />
grow by 32% by 2028. That makes cybersecurity one of the top 10<br />
fastest-growing jobs in the country. In the United States alone, jobs<br />
for Information Security Analysts are expected to grow by 15% by<br />
2024.</p><br />
<p>https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</p><br />
<p>Most likely this trend is also similar in other countries.</p><br />
<p>When checking Estonian job portals, there is a constant need for<br />
people for cyber security related positions. Also, linkedin search gives<br />
approximately 30 vacancies immediately. There are banks, logistics<br />
companies, e-shops, and software producers.</p><br />
<p>https://ee.linkedin.com/jobs/cyber-security-jobs?countryRedirected=1&amp;position=1&amp;pageNum=0</p><br />
<p>Trends that affect companies create need for constant cyber security<br />
services. Increasing number of home/remote offices require secure<br />
corporate networks and security of remote devices. One example is from<br />
this year, when sloppy remote desktop set-up paralyzed systems of 17<br />
companies.</p><br />
<p>https://www.aripaev.ee/uudised/2022/04/20/ria-lohakas-kaugtoolaua-seadistus-halvas-martsis-vahemalt-17-juhul-ettevotete-it-susteemid</p><br />
<p>Also, no service can exists without robust infrastructure - servers,<br />
databases, applications. As all previously mentioned devices and<br />
services are at constant scanning and surveillance. So, the breach<br />
detection and immediate action demands 24/7 services. Even if lot of<br />
things could be automated, there is a need for human specialists (at<br />
least, at the moment). Third growing field is also a forensic<br />
investigation, as every attack must be investigated in order to be ready<br />
to repel next attacks. So data recovery and evidence collection is<br />
another important field of work that need skilled and professional<br />
workers.</p><br />
<p>Even, if the specifics of the entity, be it CSIRT, CERT or SOC, are<br />
different, the fundamentals of the work are the same. Professional<br />
knowledge of the networks, operational systems, hardware, scripting, and<br />
several other wider IT related knowledge is needed. As there is no<br />
single way to reach to it, every single person can find one’s strongest<br />
sides and develop them with knowledge of weaker side, in order to know,<br />
when to as for help.</p><br />
<br />
</body><br />
</html></div>Mavaldhttps://wiki.itcollege.ee/index.php?title=Hiring_a_Cyber_Security_Incident_Analyst&diff=142196Hiring a Cyber Security Incident Analyst2022-05-01T15:18:15Z<p>Mavald: /* Entry-Level Incident Response Positions */</p>
<hr />
<div>==A Cyber Security Incident Analyst==<br />
<br />
[[File:image1.png|600px|thumb|Job advertisement <ref>"Job Advertisement". Available at https://www.projectpeople.com/jobs/</ref>]]<br />
===Cyber security incident analyst in SOC/CSIRT/CERT===<br />
This article delves into the job title of Cyber Security Incident<br />
Analyst and provides an overview of the acronyms SOC/CSIRT/CERT. A brief<br />
history of the job is discussed here, as well as a possible career path,<br />
education, experience, and other characteristics required for work in<br />
computer security-related organizations. The article also provides a<br />
brief history of SOC/CSIRT/CERT, as well as a comparison of their<br />
differences and similarities.<br />
===Cyber Security Incident Analyst Skill Set===<br />
What skill set is expected from the Cyber Security Incident Analyst? Below written lines are taken from the same job advertisement depicted<br />
on the left side of this article:<br />
As a Security Incident Analyst your responsibilities will include:<br />
<ul><br />
<li>Continuous monitoring of security tooling</li><br />
<li>Performing regular and ad-hoc vulnerability assessments</li><br />
<li>Carrying out ‘spot checks’</li><br />
<li>Reporting vulnerabilities to the PVG via the alerts system</li><br />
<li>Maintaining and documenting logging systems</li><br />
<li>Developing centralized logging, reporting and intelligence<br />
platforms</li><br />
<li>‘Light touch’ penetration testing with open source tooling<br />
(Metasploit)</li><br />
</ul><br />
Knowledge &amp; Experience required:<br />
<ul><br />
<li>SOC, CSIRT or CERT operational environment experience</li><br />
<li>Windows / Linux experience</li><br />
<li>TCP /IP networking protocol knowledge</li><br />
<li>Experience reviewing and analyzing Security Events from various<br />
monitoring and logging sources</li><br />
<li>Experience in website and web application security assessment or<br />
penetration testing</li><br />
<li>Experience of using Metasploit</li><br />
<li>Scripting knowledge using BASH, Python, Perl, Ruby</li><br />
<li>Skills in Host and Network Forensics</li><br />
</ul><br />
As one can see the description of the duties is wide and also the<br />
knowledge and experience that is required is noteworthy. So, where to<br />
start to find out the way to get this kind of knowledge and<br />
expertize.<br />
===Possible career path===<br />
Next part of the paper is aiming to depict a possible ways, how to<br />
develop oneself, and move along the career pathway in cybersecurity<br />
field. Topics of development, education, experience and certification<br />
are covered.<br />
[[File:analystimage2.png|1000px|thumb|Career path <ref>"Possible Career Path". Available at https://www.cyberseek.org/pathway.html</ref>]]<br />
<br />
===Junior/Senior===<br />
Start with an entry-level job in IT. Hands-on experience is often the<br />
most effective way to prepare for certification exams. Start<br />
accumulating work experience with an entry-level role as a cybersecurity<br />
analyst. Many cybersecurity professionals start off in more general IT<br />
roles. The skills, practices, and technologies you’ll use as a<br />
cybersecurity professional will continue to evolve along with computer<br />
and network technology. The desire to learn, ability to problem solve,<br />
and attention to detail will serve you well in this field. Other, more<br />
technical skills and technologies to learn include:<ref name="certification">Popular Cyber Security Certificates [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications [Accessed 25 April 2022].</ref><br />
<br />
====SIEM tools (security information and event management)====<br />
Security Information and Event Management (SIEM) is a set of tools<br />
and services offering a holistic view of an organization’s information<br />
security. SIEM works by combining two technologies:<br />
<li>Security information management (SIM), which collects data from log<br />
files for analysis and reports on security threats and events, and</li><br />
<li>security event management (SEM), which conducts real-time system<br />
monitoring, notifies network admins about important issues and<br />
establishes correlations between security events. There are a number of<br />
security information and event management solutions on the market.<br />
ArcSight ESM, IBM QRadar and Splunk are among the most popular. <ref name="SIEM">Application security, SIEM [Online]. Available: https://www.imperva.com/learn/application-security/siem/. [Accessed 27 4 2022].</ref></li><br />
<br />
====Firewalls, Intrusion Detection Systems (IDS), and Intrusion Prevention Systems(IPS)====<br />
Firewalls can be two types, hardware and software firewalls. Software<br />
firewall is a firewall that is installed on a computer or server, and<br />
tasked with network security. It works with a wide variety of other<br />
technology security solutions to provide more robust and cohesive<br />
security for enterprises of all sizes. When a software firewall is<br />
installed on a server, it opens up like an umbrella of protection over<br />
all other computers connected to the network. It is able to monitor both<br />
incoming and outgoing traffic for potential risk or suspicious user<br />
behavior, and also makes setting security policies much easier, faster<br />
and more flexible. Hardware firewall is positioned between the network<br />
and devices, allowing traffic to funnel through the firewall for a close<br />
inspection and analysis. A hardware firewall, a term often<br />
interchangeable with network or next-generation firewall, protects the<br />
network gateways for an enterprise. Hardware firewall is physical<br />
hardware, installed between network elements and connected devices, and<br />
is tasked with filtering traffic for cyber threat to the network or<br />
devices. Filtering out unauthorized or suspicious users based on traffic<br />
analysis is one of the biggest benefits of hardware firewall. <ref name="sangfor">Sangfor, "What is Software Firewall? Difference between Hardware Firewall and Software Firewall, [Online]. Available: https://www.sangfor.com/blog/cybersecurity/what-is-software-firewall-difference-between-hardware-firewall-and-software-firewall [Accessed 26 4 2022].</ref><br />
<br />
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems<br />
(IPS) are both parts of the network infrastructure. IDS/IPS compare<br />
network packets to a cyberthreat database containing known signatures of<br />
cyberattacks — and flag any matching packets. IDS doesn’t alter the<br />
network packets in any way, whereas IPS prevents the packet from<br />
delivery based on the contents of the packet, much like how a firewall<br />
prevents traffic by IP address. <ref name="Varonis">Varonis, "What is Software Firewall? IDS vs. IPS: What is the Difference?, [Online]. Available: https://www.varonis.com/blog/ids-vs-ips [Accessed 26 4 2022].</ref><br />
<br />
====Digital forensics====<br />
Digital forensics is a branch of forensic science that focuses on<br />
identifying, acquiring, processing, analyzing, and reporting on data<br />
stored electronically. Electronic evidence is a component of almost all<br />
criminal activities and digital forensics support is crucial for law<br />
enforcement investigations. Electronic evidence can be collected from a<br />
wide array of sources, such as computers, smartphones, remote storage,<br />
unmanned aerial systems, shipborne equipment, and more.<ref name="interpol">Interpol, "Digital forensics". Available: https://www.interpol.int/How-we-work/Innovation/Digital-forensics. [Accessed 28 4 2022].</ref> <br />
Investigative process of digital forensics can be divided into several stages. There are four major stages: preservation, collection,<br />
examination, and analysis. All these four stages need a deep understanding of computers, technology across a broad spectrum, and cybersecurity principles and<br />
practices, a working knowledge of computers, networks, and coding, in-depth investigative abilities, critical-thinking skills and analytical talent the ability to effectively communicate and work with a<br />
wide range of people. <ref name="ecpi">"Digital forensics". Available: https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me. [Accessed 26 4 2022].</ref><br />
<br />
====Mobile device management====<br />
Mobile device management (MDM) is software that allows IT<br />
administrators to control, secure and enforce policies on smartphones,<br />
tablets and other endpoints. Mobile device management software emerged<br />
in the early 2000s as a way to control and secure the personal digital<br />
assistants and smartphones that business workers began to use. The<br />
consumer smartphone boom that started with the launch of the Apple<br />
iPhone in 2007 led to the bring your own device (BYOD) trend, which<br />
fueled further interest in MDM.<ref name="techtarget">Techtarget, "Mobile Device Management". Available: https://www.techtarget.com/searchmobilecomputing/definition/mobile-device-management [Accessed 27 4 2022].</ref><br />
<br />
====Data management====<br />
Sometimes the data management is neglected, but this part has a<br />
crucial role when learning for good cyber security practices. Majority<br />
of cyber security programs include a special courses on data management.<br />
Data management is a method of organizing and maintaining data processes<br />
that are required in almost every business operations. The benefits of<br />
data management can be found accounting, statistics, logistics planning<br />
and other disciplines including corporate computing.<ref name="GlobalUni">Global Universities, "MSc Data Management and Cyber Security". Available: https://globaluniversities.in/msc-data-management-cyber-security. [Accessed 26 Apr 2022].</ref><br />
Data governance (and management) play a fundamental role in<br />
protecting an organization’s data. Ensuring that the right people have<br />
the right access and that appropriate security controls are in place to<br />
protect each system or service, based on the criticality or sensitivity<br />
of the data sets these contain. <ref name="CyberMagazine">Cyber Security Magazine, "The Role of Data Governance in Cybersecurity". Available: https://cybersecurity-magazine.com/the-role-of-data-governance-in-cybersecurity/?utm_source=rss&amp;utm_medium=rss&amp;utm_campaign=the-role-of-data-governance-in-cybersecurity. [Accessed 26 Apr 2022].</ref><br />
<br />
====Application security development====<br />
Application security describes security measures at the application<br />
level that aim to prevent data or code within the app from being stolen<br />
or hijacked. It encompasses the security considerations that happen<br />
during application development and design, but it also involves systems<br />
and approaches to protect apps after they get deployed. Application<br />
security may include hardware, software, and procedures that identify or<br />
minimize security vulnerabilities.<ref name="vmware">VmWare, "What is application security?". Available: https://www.vmware.com/topics/glossary/content/application-security.html [Accessed 28 April 2022].</ref><br />
Application security development is important to ensure that your<br />
application is free from coding errors and bugs. And controls the risk<br />
and helps safeguard against security vulnerabilities. Application<br />
security development is the process of making applications more secure<br />
by finding and fixing security vulnerabilities. This is often done by<br />
enforcing software security best practices and using application<br />
security testing tools. <br />
<ref name="perforce">Perforce, "Application Security Development Best Practices". Available: https://www.perforce.com/blog/kw/application-security-development-best-practices. [Accessed 28 April 2022].</ref><br />
<br />
====Audit and compliance knowledge====<br />
A cyber security audit is designed to be a comprehensive review and<br />
analysis of your business’s IT infrastructure. It identifies threats and<br />
vulnerabilities, exposing weaknesses and high-risk practices.<br />
Regulations such as the EU GDPR (General Data Protection Regulation) can<br />
impose hefty penalties in the event of a breach that results in<br />
exploited data. A cyber security audit will help mitigate the<br />
consequences of a breach and demonstrate that your organization has<br />
taken the necessary steps to protect client and company data. <ref name="cyforsecure">Cyfor Secure, "What is a Cyber Security Audit and how can it help your organisation?". Available: https://cyforsecure.co.uk/services/cyber-assessment/cyber-security-audit/. [Accessed 28 April 2022].</ref><br />
<br />
Cybersecurity compliance is the organizational risk management method<br />
aligned with pre-defined security measures &amp; controls on how data<br />
confidentiality is ensured by its administrative procedures.<ref name="nordlayer">NordLayer, "Cybersecurity compliance: Everything you need to know". Available: https://nordlayer.com/blog/cybersecurity-compliance-everything-you-need-to-know/. [Accessed 28 April 2022].</ref><br />
All needed skills are developed through courses and certification.<br />
<br />
===Entry-Level Incident Response Positions===<br />
It is not always possible to advance to the position of incident<br />
responder in a straight line. Many professionals advance from entry- to<br />
mid-level positions before becoming a real incident responder or a<br />
member of a computer emergency response team (CERT).<br /><br />
These are some examples: <ref name="Infosec">Infosec, "Incident Responder Career Roadmap: From Entry Level to Executive". Available: https://resources.infosecinstitute.com/topic/incident-responder-career-roadmap-entry-level-executive/ [Accessed 28 April 2022].</ref></p><br />
<ul><br />
<li><h5 id="network-administrator">Network administrator</h5><br />
<p>This position’s experience will help potential incident responders<br />
develop networking skills. Attention to detail, as well as the ability<br />
to sift through system configurations, site layouts, and general network<br />
and communication setups, are essential in this field.</p></li><br />
<li><h5 id="system-administrator">System administrator</h5><br />
<p>Another crucial beginning point for an incident responder is to learn<br />
how to manage resources inside your organization as well as user<br />
behavior. Understanding the potential damage that users, inadequate<br />
security setups, and ineffective IT policies and procedures can cause on<br />
your network can provide prospective candidates with insight into the<br />
human component of an incident.</p></li><br />
<li><h5 id="security-administrator">Security administrator</h5><br />
<p>In such a position, basic hacking skills, penetration testing, and<br />
intrusion detection are all learned, which are crucial incident<br />
responder skills when trying to replicate a breach or attack.<br />
Understanding the paths a cybercriminal will take when attempting to<br />
damage or obtain access to a system can greatly simplify the work of<br />
reverse engineering the incident.</p></li><br />
</ul><br />
<p>https://resources.infosecinstitute.com/topic/incident-responder-career-roadmap-entry-level-executive/</p><br />
<br />
=== Mid-Level Incident Response Positions ===<br />
<ul><br />
<li><h5<br />
id="computer-security-incident-response-team-csirt-engineer">Computer<br />
security incident response team (CSIRT) engineer</h5></li><br />
<li><h5 id="cyber-incident-responder">Cyber incident responder</h5></li><br />
<li><h5 id="incident-response-engineer">Incident response<br />
engineer</h5></li><br />
</ul><br />
<p>While each of these positions is different, they generally require<br />
very similar skills and characteristics in a candidate. At this level,<br />
personal characteristics such as problem solving, time management, and<br />
even presentation skills become more crucial as one’s career evolves<br />
into a management-facing role.</p><br />
<p>Technical skills include the ability to identify and minimize threats<br />
while maintaining communication with management and the rest of your<br />
team. Data analysis and evidence gathering become increasingly crucial,<br />
and the circumstances in which your services are deployed get more<br />
serious.</p><br />
Problem-solving skills are crucial at this level of incident<br />
response, and as the stakes rise, so does the pressure in each<br />
situation. At this level, programming abilities are essential since<br />
incident responders may be needed to reverse engineer malicious code or<br />
even create patches for vulnerable network applications or services. <ref name="coursera">Coursera, "10 Popular Cybersecurity Certifications [2022 Updated]". Available: https://www.coursera.org/articles/popular-cybersecurity-certifications [Accessed 28 April 2022].</ref><br />
<br />
===Senior-Level Incident Response Positions===<br />
<ul><br />
<li><h5 id="intrusion-detection-specialist">Intrusion detection<br />
specialist:</h5></li><br />
</ul><br />
<p>A CISSP certification might help a potential candidate in preparing<br />
for the profession. The role of an intrusion detection specialist is to<br />
find and stop any unwanted communications.</p><br />
<ul><br />
<li><h5 id="incident-manager">Incident manager:</h5></li><br />
</ul><br />
Expected to plan, oversee, manage, and supervise all incident<br />
response team actions. Is in charge of reporting all current events to<br />
senior management and stakeholders, as well as acting as the technical<br />
lead on active incidents for incident responders. Prepares threat and<br />
impact assessments and reports them known to management.<ref name="coursera"></ref><br />
<br />
==Certificates== <br />
There is a vast number of different certificates and the road map to<br />
being a certified professional could be very different<ref name="Coursera">Coursera, "10 Popular Cybersecurity Certifications [2022 Updated]," [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications. [Accessed 30 Apr 2022].</ref><br />
<ref name="NICCS">NICCS, "Cybersecurity Certifications," [Online]. Available: hhttps://niccs.cisa.gov/about-niccs/cybersecurity-certifications. [Accessed 30 Apr 2022].</ref> . One possible<br />
approach is to start with basic certificates from the different branches<br />
of service and move to more specific and demanding focused<br />
certification. Also, some jobs require certain clearances, either from<br />
industry, or from the government. One small selection of different<br />
possible certificates is brought out in following paragraphs.<br />
<br />
Security+ is a CompTIA certification that is considered a basic cert<br />
among cybersecurity professionals. It covers the topics of risk<br />
management and threat assessment.<br />
Network+ is also offered by CompTIA this certification (like the name<br />
implies) focuses on networking infrastructure and operations. It is<br />
considered a foundational certification.<br />
The Certified Information Systems Security Professional (CISSP) is a<br />
more advanced certification designed for cybersecurity professionals<br />
with at least five years of work experience. The certification covers<br />
topics such as architecture, engineering, and management.</p><br />
The Certified Ethical Hacker (CEH) certification is also considered a<br />
more advanced cert because it generally requires that applicants have<br />
multiple years of work experience. The goal of an ethical hacker<br />
certification is to be able to understand how cyber attacks unfold in<br />
order to improve threat assessment and mitigation skills.<ref name="cyberguide">Cybersecurity Guide, "How to become a cybersecurity specialist", [Online]. Available: https://cybersecurityguide.org/careers/security-specialist/. [Accessed 27 April 2022].</ref><br />
This is definitely not all, when one looks for more information, following link could be searched, to get more in depth knowledge about<br />
different possibilities. Hereby, with the help of this matrix a possible taxonomy of different 436 listed certificates in branches are<br />
presented.<ref name="Pauljeremy">"Cybersecurity Roadmap," [Online]. Available: https://pauljerimy.com/2020/10/12/scr-oct-2020-update/. [Accessed 30 Apr 2022].</ref><br />
<br />
[[File:analystimage5.png|1000px|thumb|Certificate matrix <ref>"Certification roadmap". Available at https://pauljerimy.com/security-certification-roadmap</ref>]]<br />
<br />
=== Communication and Network Security===<br />
Communication and network security covers the ability to secure<br />
communication channels and networks. Topics include secure and converges<br />
protocols, wireless networks, cellular networks, hardware operations<br />
(warranty and redundant power), and third-party connectivity. IP<br />
networking are also included in this domain.<br />
===Identity and Access Management===<br />
The identity and access management domain covers the attacks that<br />
target the human gateway to gain access to data. Other topics include<br />
ways to identify users with rights to access the information and<br />
servers. Identity and access management covers the topics of<br />
applications, Single sign-on authentication, privilege escalation,<br />
Kerberos, rule-based or risk-based access control, proofing and<br />
establishment of identity.<br />
===Security Architecture and Engineering===<br />
The security architecture and engineering domain covers important<br />
topics concerning security engineering plans, designs and principles,<br />
Topics include assessing and mitigating information system<br />
vulnerabilities, fundamental concepts of security models and security<br />
architectures in critical areas like access control. Cloud systems,<br />
cryptography, system infiltrations (ransomware, fault-injection and<br />
more) and virtualized systems are also covered in this domain.<br />
===Asset Security===<br />
The Asset Security domain deals with the issues related to the<br />
collection, storage, maintenance, retention and destruction of data. It<br />
also covers knowledge of different roles regarding data handling (owner,<br />
controller and custodian) as well as data protection methods and data<br />
states. Other topics include resource provision, asset classification<br />
and data lifecycle management.<br />
===Security and Risk Management===<br />
The security and risk management domain covers general on skills<br />
related to the implementation of user awareness programs as well as<br />
security procedures. Emphasis is also placed on risk management<br />
concerning the acquisition of new services, hardware and software<br />
(supply chain). Other skills include social engineering defense<br />
mechanisms.<br />
===Security Assessment and Testing===<br />
The security assessment and testing domain deals with all the<br />
techniques and tools used to find system vulnerabilities, weaknesses and<br />
potential areas of concern not addressed by security procedures and<br />
policies. Attack simulations, vulnerability assessment, compliance<br />
checks, and ethical disclosure also fall under this domain.<br />
===Software Security===<br />
The software development security domain deals with implementing<br />
software-based security protocols within environment for which the IT<br />
professional is responsible. Risk analysis, vulnerability identification<br />
and auditing of source codes are all covered in this subset. Additional<br />
topics include software-designed security, maturity models, development<br />
methodologies, open-source and third-party development security.<br />
===Security operations===<br />
The security operations domain covers topics ranging from<br />
investigations and digital forensic to detection and intrusion<br />
prevention tools, sandboxing and firewalls. Topics include user and<br />
entity behavior analytics, threat intelligence (threat hunting and<br />
threat feeds) log management, artifacts (mobile, computer and network),<br />
machine learning and AI-based tools, penetration testing, and<br />
exploitation development. These for sub-domains are lister here.</p><br />
<li>Forensics</li><br />
<li>Incident Handling</li><br />
<li>Penetration Testing</li><br />
<li>Exploitation</li><br />
<br />
==Education==<br />
<p>The entry level monitoring specialist is hired by Estonian<br />
Information System Authority even if there is no formal IT education,<br />
but readiness to learn and moderate knowledge of different operation<br />
systems is enough to start the career.</p><br />
<p>https://www.cv.ee/en/vacancy/792782/riigi-infosusteemi-amet/seirespetsialist-tule-eesti-kuberruumi-valvuriks</p><br />
<p>Nevertheless, like most other high qualification careers jobs falling<br />
under the cybersecurity specialist category require some form of formal<br />
education. However, since cybersecurity specialist jobs can fall across<br />
a wide spectrum of job descriptions and responsibilities, it is possible<br />
to obtain a specialist job after completing many levels of different<br />
computer related education.</p><br />
<p>If one is looking for a cybersecurity related education, for example<br />
in EU, 137 courses/programs could be found that relate to keyword IT or<br />
cybersecurity.</p><br />
<p>https://www.enisa.europa.eu/topics/cybersecurity-education/education-map/education-courses</p><br />
<p>Also, there is a great amount of discussion, if cuber security<br />
professional should have a degree or would be certification just enough.<br />
One interesting table is produces by Franklin University that compares<br />
benefits and/or drawbacks of each type of credential.</p><br />
<figure><br />
<img src="images/image11.png" alt="Comparison MSc vs certificate" /><br />
<figcaption aria-hidden="true">Comparison MSc vs<br />
certificate</figcaption><br />
</figure><br />
<p>Certifications are generally good for people with little practical<br />
experience because they are known quantities in the industry and can<br />
help you get your foot in the door. They set a minimum knowledge bar.<br />
But some certifications are viewed more favorably than others.<br />
Certifications with renewal requirements are viewed better by hiring<br />
managers, but they also more costly in the long run because of the need<br />
for continuing education. Certifications are also good for showing<br />
in-depth expertise in a specialization within cybersecurity. Depending<br />
on your career goals, it may be advantageous to have a master’s<br />
degree—which shows your breadth of knowledge, critical thinking and<br />
leadership skills—and a certificate—which shows specific skill<br />
competency.</p><br />
<p>https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</p><br />
<p>As IT (Cyber) Security is still a relatively young discipline,<br />
universities and colleges are still figuring out which is the best<br />
approach for their degrees. Study programmes and curricula in Cyber<br />
Security are different. In general, here are the duration of Cyber<br />
Security degrees:</p><br />
<ul><br />
<li><p>Bachelor’s degrees in Cyber Security take 3 or 4 years in most<br />
countries.</p></li><br />
<li><p>Master’s courses in Cyber Security take between 1-2 years to<br />
complete.</p></li><br />
<li><p>PhD programmes in Cyber Security last 3-5 years. Some only take 1<br />
or 2 years, but they are less common.</p><br />
<p>https://www.mastersportal.com/articles/2722/why-you-should-study-a-cyber-security-degree-in-2022.html</p></li><br />
</ul><br />
<p>Generalization could me made that on bachelor level the general<br />
knowledge about the cyber issues are obtained. On master level the<br />
specialization courses are taken and the person can choose more specific<br />
topics to study. It is on master level where strengths of the cyber<br />
specialist can be developed further and up-do date knowledge obtained in<br />
specifics. PhD is serious science and involves teaching, lot of<br />
scientific work and writing for publications.</p><br />
==Salary==<br />
<p>Even if the salary can be very different, compared to the skills and<br />
experience, an generalization can be made. Cyber Security professionals<br />
in CSIRT, and in other entities earn quite well, from the start. First,<br />
some comparison from the United States. The average CSIRT analyst salary<br />
in the USA is $97,500 per year or $50 per hour. Entry level positions<br />
start at $48,875 per year while most experienced workers make up to<br />
$135,373 per year.</p><br />
<p>https://www.talent.com/salary?job=csirt+analyst</p><br />
<p>There are multiple positions you can occupy in this field. They have<br />
in common great salaries and high demand for technical skills, attention<br />
to details, problem-solving mentality, and the ability to analyze risks.<br />
Here are the average annual salaries in the United States, according to<br />
Payscale:</p><br />
<p>https://www.payscale.com/</p><br />
<ul><br />
<li><p>Cryptographer – 100,000 USD</p></li><br />
<li><p>Information Security Officer – 91,000 USD</p></li><br />
<li><p>Security Assessor – 90,000 USD</p></li><br />
<li><p>Security Engineer – 88,000 USD</p></li><br />
<li><p>Penetration Tester – 81,000 USD</p></li><br />
<li><p>Forensics Expert – 71,000 USD</p></li><br />
<li><p>Security Administrator – 65,000 USD</p><br />
<p>https://www.mastersportal.com/articles/2722/why-you-should-study-a-cyber-security-degree-in-2022.html</p><br />
<p>When looking into salaries in Estonia, one can find that there is a<br />
discussion that private sector is taking a toll from the public sector,<br />
and that the salaries in important agencies, as Information System<br />
Authority loose their employees to the better paid positions in private<br />
sector.</p><br />
<p>https://digi.geenius.ee/rubriik/uudis/kui-palju-riigi-jaoks-olulised-it-tootajad-tegelikult-palka-saavad/<br />
https://tehnika.postimees.ee/6887428/riigi-it-tootajate-palgamaarad-kasvasid</p><br />
<p>But there is also a different view that average private sector worker<br />
could be hired as a top specialist in public sector and then the payment<br />
is higher. Nevertheless, it seems that the average payment in cyber<br />
security sector is any way higher that in other parts of the<br />
e-services.</p><br />
<p>https://digi.geenius.ee/rubriik/uudis/5000-eurostest-palkadest-it-tootajad-saavadki-palju-palka/</p></li><br />
</ul><br />
==SOC==<br />
<p>A SOC is a facility where an organization’s network, applications,<br />
and endpoints are monitored and defended. The term was adapted from<br />
network operations centers (NOCs), where large telecommunication or<br />
corporate networks are monitored. When network security became more of a<br />
concern, security teams were formed within the NOCs, and eventually spun<br />
off into larger organizations of their own as the responsibilities of<br />
security teams grew increasingly complex and specialized. The security<br />
staff working in a security operations center are often called the SOC<br />
team.</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<p>Functions of the SOC team include, but are not limited to:</p><br />
<ol type="1"><br />
<li>Taking inventory of resources, to get a better understanding of the<br />
structure they are protecting.</li><br />
<li>Maintanence of the system, by constantly making updates and adding<br />
safeguards.</li><br />
<li>Monitoring the network for abnormalities with special tools.</li><br />
<li>Threat analysis of new attacks and vulnerabilities.</li><br />
<li>Responding to attacks, by acting as “first responders”. The SOC team<br />
will shut down and/or isolate endpoints, deleting files and lowering the<br />
impact as fast as possible.</li><br />
<li>Recovery of system stability and lost data. This may be done using<br />
backups, restarting endpoints or reconfiguring systems.</li><br />
<li>Logging all actions on the system, to be later used for analysis or<br />
forensics after an attack.</li><br />
<li>Investigating the root cause of an attack.</li><br />
<li>Auditing their own actions, to be in line with regulations of the<br />
organization, industry or governing body.</li><br />
</ol><br />
<p>https://www.trellix.com/en-us/security-awareness/operations/what-is-soc.html</p><br />
==CSIRT==<br />
<p>A CSIRT is a group that responds to security incidents when they<br />
occur. Key responsibilities of a CSIRT include: <br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<ul><br />
===Creating and maintaining an incident response plan (IRP)===<br />
An incident response plan (IRP) is a set of written instructions for<br />
detecting, responding to and limiting the effects of an information<br />
security event. Incident response plans provide instructions for<br />
responding to many potential scenarios, including data breaches, denial<br />
of service/distributed denial of service attacks, firewall breaches,<br />
virus or malware outbreaks or insider threats. Without an incident<br />
response plan in place, organizations may either not detect the attack<br />
in the first place, or not follow proper protocol to contain the threat<br />
and recover from it when a breach is detected.<br />
<p>https://www.stratacore.com/incidentresponseplan</p></li><br />
===Investigating and analyzing incidents===<br />
CSIRTs are also involved in improvement activities. After major<br />
computer security incidents occur, or when incidents are not handled in<br />
a timely or effective manner, a CSIRT will generally perform a<br />
postmortem of the incident and its response. This postmortem will<br />
identify the strengths and weakness of the response effort. Such reviews<br />
can identify weaknesses and holes in systems, infrastructure defenses,<br />
or policies that allowed the incident to take place. It can also<br />
identify problems with communication channels, interfaces, and<br />
procedures that inhibited the efficient resolution of the reported<br />
problem.<br />
<p>https://www.cisa.gov/uscert/bsi/articles/best-practices/incident-management/defining-computer-security-incident-response-teams</p><br />
<br />
===Managing internal communications and updates during or immediately after incidents occur===<br />
===Communicating with employees, shareholders, customers, and the press about incidents as needed===<br />
<p>There are various services within the CSIRT Services Framework that<br />
address communications, as they relate to security operations and<br />
incident response services. Some of these include Information Security<br />
Incident Coordination, Crisis Management Support, Vulnerability<br />
Disclosure, Situational Awareness Communication, and Awareness Building,<br />
to name a few. Sharing information and communicating with the general<br />
public and/or your constituency is appropriate in many different<br />
scenarios. These can range from proactive communications to reactive<br />
communications. Each scenario may be unique, and careful consideration<br />
should be given to when to release information to the public and what<br />
information should be released.</p><br />
<br />
<p>https://resources.sei.cmu.edu/asset_files/Handbook/2021_002_001_651819.pdf</p><br />
<br />
===Remediating incidents===<br />
Threat remediation is a strong and capable tool for fighting the<br />
cyber security compromises. As the word ‘remedy’ suggests, remediation<br />
process involves the treatment of a security breach. With the<br />
remediation practices, your cyber security team is able to eliminate<br />
suspicious activities and malicious attacks in the form of malware,<br />
ransomware, phishing and such. Even if you ‘kill’ the suspicious<br />
activity, the attackers can remain in your systems. If you want to<br />
contaminate and end the problem for good, your remediation processes<br />
must involve the detection of the cause. <ref name="logsign">Logsign, "What-is-remediation-in-cyber-security". Available: https://www.logsign.com/blog/what-is-remediation-in-cyber-security/. [Accessed 28 Apr 2022].</ref><br />
<br />
===Recommending technology, policy, governance, and training changes after security incidents===<br />
After all these actions, the SCIRT must contribute to the development<br />
of better policies, practices and has to recommend improvements. They<br />
are not working in the vacuum and their work has to create new and<br />
better standards for cyber security. <ref name="exabeam">Exabeam, "CSIRT". Available: https://www.exabeam.com/incident-response/csirt/ [Accessed 28 APr 2022].</ref><br />
<br />
==CERT==<br />
<p>The term “computer emergency response team” was coined in 1988. In<br />
response to the Morris worm attack that impacted thousands of servers on<br />
the Internet, DARPA funded the formation of the Computer Emergency<br />
Response Team Coordination Center (CERT-CC) at Carnegie Mellon<br />
University. The goal of CERT-CC was to help protect the internet by<br />
collecting and disseminating information on critical security<br />
vulnerabilities. Several other countries formed similar centers using<br />
the same acronym (despite threats of legal action by Carnegie Mellon for<br />
trademark infringement). Now the term CERT refers to any emergency<br />
response team that deals with cyber threats. Many people use CERT-CC<br />
interchangeably with CSIRT, though the charter of a CERT is information<br />
sharing in order to help other response teams respond to threats against<br />
their own infrastructure.</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<p>In general, the designation of CERT is helpful in applying real-world<br />
solutions to various cybersecurity problems. They may be government<br />
contractors or employees of a major corporation. For example, the U.S.<br />
Computer Emergency Readiness Team (US-CERT) operates under the U.S.<br />
Department of Homeland Security.</p><br />
<p>https://www.techopedia.com/definition/31003/computer-emergency-response-team-cert</p><br />
<p>In Estonia CERT is designated as CERT-EE. It was established in 2006,<br />
as an organization responsible for the management of security incidents<br />
in .ee computer networks. It is also a national contact point for<br />
international co-operation in the field of IT security.</p><br />
<p>https://www.ria.ee/en/cyber-security/cert-ee.html</p><br />
===Difference between SOC/CSIRT/CERT===<br />
<p>How CSIRTs differ from CERTs and SOCs There are overlapping<br />
responsibilities between a community emergency response team (CERT),<br />
computer security incident response team (CSIRT), and security<br />
operations center (SOC). To add to this confusion, frequently, the terms<br />
CERT and CSIRT are used interchangeably, despite the important<br />
differences.</p><br />
<figure><br />
<img src="images/image3.png" alt="Overlapping in images/image3.png" /><br />
<figcaption aria-hidden="true">Overlapping in<br />
images/image3.png</figcaption><br />
</figure><br />
==Understand the primary roles and characteristics of a CERT, CSIRT, and SOC.==<br />
<p>So, using strict definitions, a CERT collects and disseminates<br />
security information, typically for the benefit of a country or an<br />
industry. A CSIRT is a cross-functional team that responds to incidents<br />
on behalf of a country or an organization. A SOC is where a country or<br />
organization monitors and defends its network, servers, applications,<br />
and endpoints.</p><br />
<figure><br />
<img src="images/image4.png" alt="table of explanation images/image4" /><br />
<figcaption aria-hidden="true">table of explanation<br />
images/image4</figcaption><br />
</figure><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
==Future==<br />
<p>And the Cyber security problem is only getting bigger. According to a<br />
report published by Accenture, the number of cyber security breaches<br />
increased by 11 percent from 2017 to 2018. The cost of such breaches is<br />
astronomical–about $600 billion worldwide, according to the Economic<br />
Impact of Cybercrime report.</p><br />
<p>https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me</p><br />
<p>Job projections for cybersecurity are staggering. The Bureau of Labor<br />
Statistics in US predicts that careers in the cybersecurity field will<br />
grow by 32% by 2028. That makes cybersecurity one of the top 10<br />
fastest-growing jobs in the country. In the United States alone, jobs<br />
for Information Security Analysts are expected to grow by 15% by<br />
2024.</p><br />
<p>https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</p><br />
<p>Most likely this trend is also similar in other countries.</p><br />
<p>When checking Estonian job portals, there is a constant need for<br />
people for cyber security related positions. Also, linkedin search gives<br />
approximately 30 vacancies immediately. There are banks, logistics<br />
companies, e-shops, and software producers.</p><br />
<p>https://ee.linkedin.com/jobs/cyber-security-jobs?countryRedirected=1&amp;position=1&amp;pageNum=0</p><br />
<p>Trends that affect companies create need for constant cyber security<br />
services. Increasing number of home/remote offices require secure<br />
corporate networks and security of remote devices. One example is from<br />
this year, when sloppy remote desktop set-up paralyzed systems of 17<br />
companies.</p><br />
<p>https://www.aripaev.ee/uudised/2022/04/20/ria-lohakas-kaugtoolaua-seadistus-halvas-martsis-vahemalt-17-juhul-ettevotete-it-susteemid</p><br />
<p>Also, no service can exists without robust infrastructure - servers,<br />
databases, applications. As all previously mentioned devices and<br />
services are at constant scanning and surveillance. So, the breach<br />
detection and immediate action demands 24/7 services. Even if lot of<br />
things could be automated, there is a need for human specialists (at<br />
least, at the moment). Third growing field is also a forensic<br />
investigation, as every attack must be investigated in order to be ready<br />
to repel next attacks. So data recovery and evidence collection is<br />
another important field of work that need skilled and professional<br />
workers.</p><br />
<p>Even, if the specifics of the entity, be it CSIRT, CERT or SOC, are<br />
different, the fundamentals of the work are the same. Professional<br />
knowledge of the networks, operational systems, hardware, scripting, and<br />
several other wider IT related knowledge is needed. As there is no<br />
single way to reach to it, every single person can find one’s strongest<br />
sides and develop them with knowledge of weaker side, in order to know,<br />
when to as for help.</p><br />
<br />
</body><br />
</html></div>Mavaldhttps://wiki.itcollege.ee/index.php?title=Hiring_a_Cyber_Security_Incident_Analyst&diff=142195Hiring a Cyber Security Incident Analyst2022-05-01T15:10:32Z<p>Mavald: /* Senior-Level Incident Response Positions */</p>
<hr />
<div>==A Cyber Security Incident Analyst==<br />
<br />
[[File:image1.png|600px|thumb|Job advertisement <ref>"Job Advertisement". Available at https://www.projectpeople.com/jobs/</ref>]]<br />
===Cyber security incident analyst in SOC/CSIRT/CERT===<br />
This article delves into the job title of Cyber Security Incident<br />
Analyst and provides an overview of the acronyms SOC/CSIRT/CERT. A brief<br />
history of the job is discussed here, as well as a possible career path,<br />
education, experience, and other characteristics required for work in<br />
computer security-related organizations. The article also provides a<br />
brief history of SOC/CSIRT/CERT, as well as a comparison of their<br />
differences and similarities.<br />
===Cyber Security Incident Analyst Skill Set===<br />
What skill set is expected from the Cyber Security Incident Analyst? Below written lines are taken from the same job advertisement depicted<br />
on the left side of this article:<br />
As a Security Incident Analyst your responsibilities will include:<br />
<ul><br />
<li>Continuous monitoring of security tooling</li><br />
<li>Performing regular and ad-hoc vulnerability assessments</li><br />
<li>Carrying out ‘spot checks’</li><br />
<li>Reporting vulnerabilities to the PVG via the alerts system</li><br />
<li>Maintaining and documenting logging systems</li><br />
<li>Developing centralized logging, reporting and intelligence<br />
platforms</li><br />
<li>‘Light touch’ penetration testing with open source tooling<br />
(Metasploit)</li><br />
</ul><br />
Knowledge &amp; Experience required:<br />
<ul><br />
<li>SOC, CSIRT or CERT operational environment experience</li><br />
<li>Windows / Linux experience</li><br />
<li>TCP /IP networking protocol knowledge</li><br />
<li>Experience reviewing and analyzing Security Events from various<br />
monitoring and logging sources</li><br />
<li>Experience in website and web application security assessment or<br />
penetration testing</li><br />
<li>Experience of using Metasploit</li><br />
<li>Scripting knowledge using BASH, Python, Perl, Ruby</li><br />
<li>Skills in Host and Network Forensics</li><br />
</ul><br />
As one can see the description of the duties is wide and also the<br />
knowledge and experience that is required is noteworthy. So, where to<br />
start to find out the way to get this kind of knowledge and<br />
expertize.<br />
===Possible career path===<br />
Next part of the paper is aiming to depict a possible ways, how to<br />
develop oneself, and move along the career pathway in cybersecurity<br />
field. Topics of development, education, experience and certification<br />
are covered.<br />
[[File:analystimage2.png|1000px|thumb|Career path <ref>"Possible Career Path". Available at https://www.cyberseek.org/pathway.html</ref>]]<br />
<br />
===Junior/Senior===<br />
Start with an entry-level job in IT. Hands-on experience is often the<br />
most effective way to prepare for certification exams. Start<br />
accumulating work experience with an entry-level role as a cybersecurity<br />
analyst. Many cybersecurity professionals start off in more general IT<br />
roles. The skills, practices, and technologies you’ll use as a<br />
cybersecurity professional will continue to evolve along with computer<br />
and network technology. The desire to learn, ability to problem solve,<br />
and attention to detail will serve you well in this field. Other, more<br />
technical skills and technologies to learn include:<ref name="certification">Popular Cyber Security Certificates [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications [Accessed 25 April 2022].</ref><br />
<br />
====SIEM tools (security information and event management)====<br />
Security Information and Event Management (SIEM) is a set of tools<br />
and services offering a holistic view of an organization’s information<br />
security. SIEM works by combining two technologies:<br />
<li>Security information management (SIM), which collects data from log<br />
files for analysis and reports on security threats and events, and</li><br />
<li>security event management (SEM), which conducts real-time system<br />
monitoring, notifies network admins about important issues and<br />
establishes correlations between security events. There are a number of<br />
security information and event management solutions on the market.<br />
ArcSight ESM, IBM QRadar and Splunk are among the most popular. <ref name="SIEM">Application security, SIEM [Online]. Available: https://www.imperva.com/learn/application-security/siem/. [Accessed 27 4 2022].</ref></li><br />
<br />
====Firewalls, Intrusion Detection Systems (IDS), and Intrusion Prevention Systems(IPS)====<br />
Firewalls can be two types, hardware and software firewalls. Software<br />
firewall is a firewall that is installed on a computer or server, and<br />
tasked with network security. It works with a wide variety of other<br />
technology security solutions to provide more robust and cohesive<br />
security for enterprises of all sizes. When a software firewall is<br />
installed on a server, it opens up like an umbrella of protection over<br />
all other computers connected to the network. It is able to monitor both<br />
incoming and outgoing traffic for potential risk or suspicious user<br />
behavior, and also makes setting security policies much easier, faster<br />
and more flexible. Hardware firewall is positioned between the network<br />
and devices, allowing traffic to funnel through the firewall for a close<br />
inspection and analysis. A hardware firewall, a term often<br />
interchangeable with network or next-generation firewall, protects the<br />
network gateways for an enterprise. Hardware firewall is physical<br />
hardware, installed between network elements and connected devices, and<br />
is tasked with filtering traffic for cyber threat to the network or<br />
devices. Filtering out unauthorized or suspicious users based on traffic<br />
analysis is one of the biggest benefits of hardware firewall. <ref name="sangfor">Sangfor, "What is Software Firewall? Difference between Hardware Firewall and Software Firewall, [Online]. Available: https://www.sangfor.com/blog/cybersecurity/what-is-software-firewall-difference-between-hardware-firewall-and-software-firewall [Accessed 26 4 2022].</ref><br />
<br />
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems<br />
(IPS) are both parts of the network infrastructure. IDS/IPS compare<br />
network packets to a cyberthreat database containing known signatures of<br />
cyberattacks — and flag any matching packets. IDS doesn’t alter the<br />
network packets in any way, whereas IPS prevents the packet from<br />
delivery based on the contents of the packet, much like how a firewall<br />
prevents traffic by IP address. <ref name="Varonis">Varonis, "What is Software Firewall? IDS vs. IPS: What is the Difference?, [Online]. Available: https://www.varonis.com/blog/ids-vs-ips [Accessed 26 4 2022].</ref><br />
<br />
====Digital forensics====<br />
Digital forensics is a branch of forensic science that focuses on<br />
identifying, acquiring, processing, analyzing, and reporting on data<br />
stored electronically. Electronic evidence is a component of almost all<br />
criminal activities and digital forensics support is crucial for law<br />
enforcement investigations. Electronic evidence can be collected from a<br />
wide array of sources, such as computers, smartphones, remote storage,<br />
unmanned aerial systems, shipborne equipment, and more.<ref name="interpol">Interpol, "Digital forensics". Available: https://www.interpol.int/How-we-work/Innovation/Digital-forensics. [Accessed 28 4 2022].</ref> <br />
Investigative process of digital forensics can be divided into several stages. There are four major stages: preservation, collection,<br />
examination, and analysis. All these four stages need a deep understanding of computers, technology across a broad spectrum, and cybersecurity principles and<br />
practices, a working knowledge of computers, networks, and coding, in-depth investigative abilities, critical-thinking skills and analytical talent the ability to effectively communicate and work with a<br />
wide range of people. <ref name="ecpi">"Digital forensics". Available: https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me. [Accessed 26 4 2022].</ref><br />
<br />
====Mobile device management====<br />
Mobile device management (MDM) is software that allows IT<br />
administrators to control, secure and enforce policies on smartphones,<br />
tablets and other endpoints. Mobile device management software emerged<br />
in the early 2000s as a way to control and secure the personal digital<br />
assistants and smartphones that business workers began to use. The<br />
consumer smartphone boom that started with the launch of the Apple<br />
iPhone in 2007 led to the bring your own device (BYOD) trend, which<br />
fueled further interest in MDM.<ref name="techtarget">Techtarget, "Mobile Device Management". Available: https://www.techtarget.com/searchmobilecomputing/definition/mobile-device-management [Accessed 27 4 2022].</ref><br />
<br />
====Data management====<br />
Sometimes the data management is neglected, but this part has a<br />
crucial role when learning for good cyber security practices. Majority<br />
of cyber security programs include a special courses on data management.<br />
Data management is a method of organizing and maintaining data processes<br />
that are required in almost every business operations. The benefits of<br />
data management can be found accounting, statistics, logistics planning<br />
and other disciplines including corporate computing.<ref name="GlobalUni">Global Universities, "MSc Data Management and Cyber Security". Available: https://globaluniversities.in/msc-data-management-cyber-security. [Accessed 26 Apr 2022].</ref><br />
Data governance (and management) play a fundamental role in<br />
protecting an organization’s data. Ensuring that the right people have<br />
the right access and that appropriate security controls are in place to<br />
protect each system or service, based on the criticality or sensitivity<br />
of the data sets these contain. <ref name="CyberMagazine">Cyber Security Magazine, "The Role of Data Governance in Cybersecurity". Available: https://cybersecurity-magazine.com/the-role-of-data-governance-in-cybersecurity/?utm_source=rss&amp;utm_medium=rss&amp;utm_campaign=the-role-of-data-governance-in-cybersecurity. [Accessed 26 Apr 2022].</ref><br />
<br />
====Application security development====<br />
Application security describes security measures at the application<br />
level that aim to prevent data or code within the app from being stolen<br />
or hijacked. It encompasses the security considerations that happen<br />
during application development and design, but it also involves systems<br />
and approaches to protect apps after they get deployed. Application<br />
security may include hardware, software, and procedures that identify or<br />
minimize security vulnerabilities.<ref name="vmware">VmWare, "What is application security?". Available: https://www.vmware.com/topics/glossary/content/application-security.html [Accessed 28 April 2022].</ref><br />
Application security development is important to ensure that your<br />
application is free from coding errors and bugs. And controls the risk<br />
and helps safeguard against security vulnerabilities. Application<br />
security development is the process of making applications more secure<br />
by finding and fixing security vulnerabilities. This is often done by<br />
enforcing software security best practices and using application<br />
security testing tools. <br />
<ref name="perforce">Perforce, "Application Security Development Best Practices". Available: https://www.perforce.com/blog/kw/application-security-development-best-practices. [Accessed 28 April 2022].</ref><br />
<br />
====Audit and compliance knowledge====<br />
A cyber security audit is designed to be a comprehensive review and<br />
analysis of your business’s IT infrastructure. It identifies threats and<br />
vulnerabilities, exposing weaknesses and high-risk practices.<br />
Regulations such as the EU GDPR (General Data Protection Regulation) can<br />
impose hefty penalties in the event of a breach that results in<br />
exploited data. A cyber security audit will help mitigate the<br />
consequences of a breach and demonstrate that your organization has<br />
taken the necessary steps to protect client and company data. <ref name="cyforsecure">Cyfor Secure, "What is a Cyber Security Audit and how can it help your organisation?". Available: https://cyforsecure.co.uk/services/cyber-assessment/cyber-security-audit/. [Accessed 28 April 2022].</ref><br />
<br />
Cybersecurity compliance is the organizational risk management method<br />
aligned with pre-defined security measures &amp; controls on how data<br />
confidentiality is ensured by its administrative procedures.<ref name="nordlayer">NordLayer, "Cybersecurity compliance: Everything you need to know". Available: https://nordlayer.com/blog/cybersecurity-compliance-everything-you-need-to-know/. [Accessed 28 April 2022].</ref><br />
All needed skills are developed through courses and certification.<br />
<br />
===Entry-Level Incident Response Positions===<br />
It is not always possible to advance to the position of incident<br />
responder in a straight line. Many professionals advance from entry- to<br />
mid-level positions before becoming a real incident responder or a<br />
member of a computer emergency response team (CERT).<br /><br />
These are some examples:</p><br />
<ul><br />
<li><h5 id="network-administrator">Network administrator</h5><br />
<p>This position’s experience will help potential incident responders<br />
develop networking skills. Attention to detail, as well as the ability<br />
to sift through system configurations, site layouts, and general network<br />
and communication setups, are essential in this field.</p></li><br />
<li><h5 id="system-administrator">System administrator</h5><br />
<p>Another crucial beginning point for an incident responder is to learn<br />
how to manage resources inside your organization as well as user<br />
behavior. Understanding the potential damage that users, inadequate<br />
security setups, and ineffective IT policies and procedures can cause on<br />
your network can provide prospective candidates with insight into the<br />
human component of an incident.</p></li><br />
<li><h5 id="security-administrator">Security administrator</h5><br />
<p>In such a position, basic hacking skills, penetration testing, and<br />
intrusion detection are all learned, which are crucial incident<br />
responder skills when trying to replicate a breach or attack.<br />
Understanding the paths a cybercriminal will take when attempting to<br />
damage or obtain access to a system can greatly simplify the work of<br />
reverse engineering the incident.</p></li><br />
</ul><br />
<p>https://resources.infosecinstitute.com/topic/incident-responder-career-roadmap-entry-level-executive/</p><br />
=== Mid-Level Incident Response Positions ===<br />
<ul><br />
<li><h5<br />
id="computer-security-incident-response-team-csirt-engineer">Computer<br />
security incident response team (CSIRT) engineer</h5></li><br />
<li><h5 id="cyber-incident-responder">Cyber incident responder</h5></li><br />
<li><h5 id="incident-response-engineer">Incident response<br />
engineer</h5></li><br />
</ul><br />
<p>While each of these positions is different, they generally require<br />
very similar skills and characteristics in a candidate. At this level,<br />
personal characteristics such as problem solving, time management, and<br />
even presentation skills become more crucial as one’s career evolves<br />
into a management-facing role.</p><br />
<p>Technical skills include the ability to identify and minimize threats<br />
while maintaining communication with management and the rest of your<br />
team. Data analysis and evidence gathering become increasingly crucial,<br />
and the circumstances in which your services are deployed get more<br />
serious.</p><br />
Problem-solving skills are crucial at this level of incident<br />
response, and as the stakes rise, so does the pressure in each<br />
situation. At this level, programming abilities are essential since<br />
incident responders may be needed to reverse engineer malicious code or<br />
even create patches for vulnerable network applications or services. <ref name="coursera">Coursera, "10 Popular Cybersecurity Certifications [2022 Updated]". Available: https://www.coursera.org/articles/popular-cybersecurity-certifications [Accessed 28 April 2022].</ref><br />
<br />
===Senior-Level Incident Response Positions===<br />
<ul><br />
<li><h5 id="intrusion-detection-specialist">Intrusion detection<br />
specialist:</h5></li><br />
</ul><br />
<p>A CISSP certification might help a potential candidate in preparing<br />
for the profession. The role of an intrusion detection specialist is to<br />
find and stop any unwanted communications.</p><br />
<ul><br />
<li><h5 id="incident-manager">Incident manager:</h5></li><br />
</ul><br />
Expected to plan, oversee, manage, and supervise all incident<br />
response team actions. Is in charge of reporting all current events to<br />
senior management and stakeholders, as well as acting as the technical<br />
lead on active incidents for incident responders. Prepares threat and<br />
impact assessments and reports them known to management.<ref name="coursera"></ref><br />
<br />
==Certificates== <br />
There is a vast number of different certificates and the road map to<br />
being a certified professional could be very different<ref name="Coursera">Coursera, "10 Popular Cybersecurity Certifications [2022 Updated]," [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications. [Accessed 30 Apr 2022].</ref><br />
<ref name="NICCS">NICCS, "Cybersecurity Certifications," [Online]. Available: hhttps://niccs.cisa.gov/about-niccs/cybersecurity-certifications. [Accessed 30 Apr 2022].</ref> . One possible<br />
approach is to start with basic certificates from the different branches<br />
of service and move to more specific and demanding focused<br />
certification. Also, some jobs require certain clearances, either from<br />
industry, or from the government. One small selection of different<br />
possible certificates is brought out in following paragraphs.<br />
<br />
Security+ is a CompTIA certification that is considered a basic cert<br />
among cybersecurity professionals. It covers the topics of risk<br />
management and threat assessment.<br />
Network+ is also offered by CompTIA this certification (like the name<br />
implies) focuses on networking infrastructure and operations. It is<br />
considered a foundational certification.<br />
The Certified Information Systems Security Professional (CISSP) is a<br />
more advanced certification designed for cybersecurity professionals<br />
with at least five years of work experience. The certification covers<br />
topics such as architecture, engineering, and management.</p><br />
The Certified Ethical Hacker (CEH) certification is also considered a<br />
more advanced cert because it generally requires that applicants have<br />
multiple years of work experience. The goal of an ethical hacker<br />
certification is to be able to understand how cyber attacks unfold in<br />
order to improve threat assessment and mitigation skills.<ref name="cyberguide">Cybersecurity Guide, "How to become a cybersecurity specialist", [Online]. Available: https://cybersecurityguide.org/careers/security-specialist/. [Accessed 27 April 2022].</ref><br />
This is definitely not all, when one looks for more information, following link could be searched, to get more in depth knowledge about<br />
different possibilities. Hereby, with the help of this matrix a possible taxonomy of different 436 listed certificates in branches are<br />
presented.<ref name="Pauljeremy">"Cybersecurity Roadmap," [Online]. Available: https://pauljerimy.com/2020/10/12/scr-oct-2020-update/. [Accessed 30 Apr 2022].</ref><br />
<br />
[[File:analystimage5.png|1000px|thumb|Certificate matrix <ref>"Certification roadmap". Available at https://pauljerimy.com/security-certification-roadmap</ref>]]<br />
<br />
=== Communication and Network Security===<br />
Communication and network security covers the ability to secure<br />
communication channels and networks. Topics include secure and converges<br />
protocols, wireless networks, cellular networks, hardware operations<br />
(warranty and redundant power), and third-party connectivity. IP<br />
networking are also included in this domain.<br />
===Identity and Access Management===<br />
The identity and access management domain covers the attacks that<br />
target the human gateway to gain access to data. Other topics include<br />
ways to identify users with rights to access the information and<br />
servers. Identity and access management covers the topics of<br />
applications, Single sign-on authentication, privilege escalation,<br />
Kerberos, rule-based or risk-based access control, proofing and<br />
establishment of identity.<br />
===Security Architecture and Engineering===<br />
The security architecture and engineering domain covers important<br />
topics concerning security engineering plans, designs and principles,<br />
Topics include assessing and mitigating information system<br />
vulnerabilities, fundamental concepts of security models and security<br />
architectures in critical areas like access control. Cloud systems,<br />
cryptography, system infiltrations (ransomware, fault-injection and<br />
more) and virtualized systems are also covered in this domain.<br />
===Asset Security===<br />
The Asset Security domain deals with the issues related to the<br />
collection, storage, maintenance, retention and destruction of data. It<br />
also covers knowledge of different roles regarding data handling (owner,<br />
controller and custodian) as well as data protection methods and data<br />
states. Other topics include resource provision, asset classification<br />
and data lifecycle management.<br />
===Security and Risk Management===<br />
The security and risk management domain covers general on skills<br />
related to the implementation of user awareness programs as well as<br />
security procedures. Emphasis is also placed on risk management<br />
concerning the acquisition of new services, hardware and software<br />
(supply chain). Other skills include social engineering defense<br />
mechanisms.<br />
===Security Assessment and Testing===<br />
The security assessment and testing domain deals with all the<br />
techniques and tools used to find system vulnerabilities, weaknesses and<br />
potential areas of concern not addressed by security procedures and<br />
policies. Attack simulations, vulnerability assessment, compliance<br />
checks, and ethical disclosure also fall under this domain.<br />
===Software Security===<br />
The software development security domain deals with implementing<br />
software-based security protocols within environment for which the IT<br />
professional is responsible. Risk analysis, vulnerability identification<br />
and auditing of source codes are all covered in this subset. Additional<br />
topics include software-designed security, maturity models, development<br />
methodologies, open-source and third-party development security.<br />
===Security operations===<br />
The security operations domain covers topics ranging from<br />
investigations and digital forensic to detection and intrusion<br />
prevention tools, sandboxing and firewalls. Topics include user and<br />
entity behavior analytics, threat intelligence (threat hunting and<br />
threat feeds) log management, artifacts (mobile, computer and network),<br />
machine learning and AI-based tools, penetration testing, and<br />
exploitation development. These for sub-domains are lister here.</p><br />
<li>Forensics</li><br />
<li>Incident Handling</li><br />
<li>Penetration Testing</li><br />
<li>Exploitation</li><br />
<br />
==Education==<br />
<p>The entry level monitoring specialist is hired by Estonian<br />
Information System Authority even if there is no formal IT education,<br />
but readiness to learn and moderate knowledge of different operation<br />
systems is enough to start the career.</p><br />
<p>https://www.cv.ee/en/vacancy/792782/riigi-infosusteemi-amet/seirespetsialist-tule-eesti-kuberruumi-valvuriks</p><br />
<p>Nevertheless, like most other high qualification careers jobs falling<br />
under the cybersecurity specialist category require some form of formal<br />
education. However, since cybersecurity specialist jobs can fall across<br />
a wide spectrum of job descriptions and responsibilities, it is possible<br />
to obtain a specialist job after completing many levels of different<br />
computer related education.</p><br />
<p>If one is looking for a cybersecurity related education, for example<br />
in EU, 137 courses/programs could be found that relate to keyword IT or<br />
cybersecurity.</p><br />
<p>https://www.enisa.europa.eu/topics/cybersecurity-education/education-map/education-courses</p><br />
<p>Also, there is a great amount of discussion, if cuber security<br />
professional should have a degree or would be certification just enough.<br />
One interesting table is produces by Franklin University that compares<br />
benefits and/or drawbacks of each type of credential.</p><br />
<figure><br />
<img src="images/image11.png" alt="Comparison MSc vs certificate" /><br />
<figcaption aria-hidden="true">Comparison MSc vs<br />
certificate</figcaption><br />
</figure><br />
<p>Certifications are generally good for people with little practical<br />
experience because they are known quantities in the industry and can<br />
help you get your foot in the door. They set a minimum knowledge bar.<br />
But some certifications are viewed more favorably than others.<br />
Certifications with renewal requirements are viewed better by hiring<br />
managers, but they also more costly in the long run because of the need<br />
for continuing education. Certifications are also good for showing<br />
in-depth expertise in a specialization within cybersecurity. Depending<br />
on your career goals, it may be advantageous to have a master’s<br />
degree—which shows your breadth of knowledge, critical thinking and<br />
leadership skills—and a certificate—which shows specific skill<br />
competency.</p><br />
<p>https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</p><br />
<p>As IT (Cyber) Security is still a relatively young discipline,<br />
universities and colleges are still figuring out which is the best<br />
approach for their degrees. Study programmes and curricula in Cyber<br />
Security are different. In general, here are the duration of Cyber<br />
Security degrees:</p><br />
<ul><br />
<li><p>Bachelor’s degrees in Cyber Security take 3 or 4 years in most<br />
countries.</p></li><br />
<li><p>Master’s courses in Cyber Security take between 1-2 years to<br />
complete.</p></li><br />
<li><p>PhD programmes in Cyber Security last 3-5 years. Some only take 1<br />
or 2 years, but they are less common.</p><br />
<p>https://www.mastersportal.com/articles/2722/why-you-should-study-a-cyber-security-degree-in-2022.html</p></li><br />
</ul><br />
<p>Generalization could me made that on bachelor level the general<br />
knowledge about the cyber issues are obtained. On master level the<br />
specialization courses are taken and the person can choose more specific<br />
topics to study. It is on master level where strengths of the cyber<br />
specialist can be developed further and up-do date knowledge obtained in<br />
specifics. PhD is serious science and involves teaching, lot of<br />
scientific work and writing for publications.</p><br />
==Salary==<br />
<p>Even if the salary can be very different, compared to the skills and<br />
experience, an generalization can be made. Cyber Security professionals<br />
in CSIRT, and in other entities earn quite well, from the start. First,<br />
some comparison from the United States. The average CSIRT analyst salary<br />
in the USA is $97,500 per year or $50 per hour. Entry level positions<br />
start at $48,875 per year while most experienced workers make up to<br />
$135,373 per year.</p><br />
<p>https://www.talent.com/salary?job=csirt+analyst</p><br />
<p>There are multiple positions you can occupy in this field. They have<br />
in common great salaries and high demand for technical skills, attention<br />
to details, problem-solving mentality, and the ability to analyze risks.<br />
Here are the average annual salaries in the United States, according to<br />
Payscale:</p><br />
<p>https://www.payscale.com/</p><br />
<ul><br />
<li><p>Cryptographer – 100,000 USD</p></li><br />
<li><p>Information Security Officer – 91,000 USD</p></li><br />
<li><p>Security Assessor – 90,000 USD</p></li><br />
<li><p>Security Engineer – 88,000 USD</p></li><br />
<li><p>Penetration Tester – 81,000 USD</p></li><br />
<li><p>Forensics Expert – 71,000 USD</p></li><br />
<li><p>Security Administrator – 65,000 USD</p><br />
<p>https://www.mastersportal.com/articles/2722/why-you-should-study-a-cyber-security-degree-in-2022.html</p><br />
<p>When looking into salaries in Estonia, one can find that there is a<br />
discussion that private sector is taking a toll from the public sector,<br />
and that the salaries in important agencies, as Information System<br />
Authority loose their employees to the better paid positions in private<br />
sector.</p><br />
<p>https://digi.geenius.ee/rubriik/uudis/kui-palju-riigi-jaoks-olulised-it-tootajad-tegelikult-palka-saavad/<br />
https://tehnika.postimees.ee/6887428/riigi-it-tootajate-palgamaarad-kasvasid</p><br />
<p>But there is also a different view that average private sector worker<br />
could be hired as a top specialist in public sector and then the payment<br />
is higher. Nevertheless, it seems that the average payment in cyber<br />
security sector is any way higher that in other parts of the<br />
e-services.</p><br />
<p>https://digi.geenius.ee/rubriik/uudis/5000-eurostest-palkadest-it-tootajad-saavadki-palju-palka/</p></li><br />
</ul><br />
==SOC==<br />
<p>A SOC is a facility where an organization’s network, applications,<br />
and endpoints are monitored and defended. The term was adapted from<br />
network operations centers (NOCs), where large telecommunication or<br />
corporate networks are monitored. When network security became more of a<br />
concern, security teams were formed within the NOCs, and eventually spun<br />
off into larger organizations of their own as the responsibilities of<br />
security teams grew increasingly complex and specialized. The security<br />
staff working in a security operations center are often called the SOC<br />
team.</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<p>Functions of the SOC team include, but are not limited to:</p><br />
<ol type="1"><br />
<li>Taking inventory of resources, to get a better understanding of the<br />
structure they are protecting.</li><br />
<li>Maintanence of the system, by constantly making updates and adding<br />
safeguards.</li><br />
<li>Monitoring the network for abnormalities with special tools.</li><br />
<li>Threat analysis of new attacks and vulnerabilities.</li><br />
<li>Responding to attacks, by acting as “first responders”. The SOC team<br />
will shut down and/or isolate endpoints, deleting files and lowering the<br />
impact as fast as possible.</li><br />
<li>Recovery of system stability and lost data. This may be done using<br />
backups, restarting endpoints or reconfiguring systems.</li><br />
<li>Logging all actions on the system, to be later used for analysis or<br />
forensics after an attack.</li><br />
<li>Investigating the root cause of an attack.</li><br />
<li>Auditing their own actions, to be in line with regulations of the<br />
organization, industry or governing body.</li><br />
</ol><br />
<p>https://www.trellix.com/en-us/security-awareness/operations/what-is-soc.html</p><br />
==CSIRT==<br />
<p>A CSIRT is a group that responds to security incidents when they<br />
occur. Key responsibilities of a CSIRT include: <br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<ul><br />
===Creating and maintaining an incident response plan (IRP)===<br />
An incident response plan (IRP) is a set of written instructions for<br />
detecting, responding to and limiting the effects of an information<br />
security event. Incident response plans provide instructions for<br />
responding to many potential scenarios, including data breaches, denial<br />
of service/distributed denial of service attacks, firewall breaches,<br />
virus or malware outbreaks or insider threats. Without an incident<br />
response plan in place, organizations may either not detect the attack<br />
in the first place, or not follow proper protocol to contain the threat<br />
and recover from it when a breach is detected.<br />
<p>https://www.stratacore.com/incidentresponseplan</p></li><br />
===Investigating and analyzing incidents===<br />
CSIRTs are also involved in improvement activities. After major<br />
computer security incidents occur, or when incidents are not handled in<br />
a timely or effective manner, a CSIRT will generally perform a<br />
postmortem of the incident and its response. This postmortem will<br />
identify the strengths and weakness of the response effort. Such reviews<br />
can identify weaknesses and holes in systems, infrastructure defenses,<br />
or policies that allowed the incident to take place. It can also<br />
identify problems with communication channels, interfaces, and<br />
procedures that inhibited the efficient resolution of the reported<br />
problem.<br />
<p>https://www.cisa.gov/uscert/bsi/articles/best-practices/incident-management/defining-computer-security-incident-response-teams</p><br />
<br />
===Managing internal communications and updates during or immediately after incidents occur===<br />
===Communicating with employees, shareholders, customers, and the press about incidents as needed===<br />
<p>There are various services within the CSIRT Services Framework that<br />
address communications, as they relate to security operations and<br />
incident response services. Some of these include Information Security<br />
Incident Coordination, Crisis Management Support, Vulnerability<br />
Disclosure, Situational Awareness Communication, and Awareness Building,<br />
to name a few. Sharing information and communicating with the general<br />
public and/or your constituency is appropriate in many different<br />
scenarios. These can range from proactive communications to reactive<br />
communications. Each scenario may be unique, and careful consideration<br />
should be given to when to release information to the public and what<br />
information should be released.</p><br />
<br />
<p>https://resources.sei.cmu.edu/asset_files/Handbook/2021_002_001_651819.pdf</p><br />
<br />
===Remediating incidents===<br />
Threat remediation is a strong and capable tool for fighting the<br />
cyber security compromises. As the word ‘remedy’ suggests, remediation<br />
process involves the treatment of a security breach. With the<br />
remediation practices, your cyber security team is able to eliminate<br />
suspicious activities and malicious attacks in the form of malware,<br />
ransomware, phishing and such. Even if you ‘kill’ the suspicious<br />
activity, the attackers can remain in your systems. If you want to<br />
contaminate and end the problem for good, your remediation processes<br />
must involve the detection of the cause. <ref name="logsign">Logsign, "What-is-remediation-in-cyber-security". Available: https://www.logsign.com/blog/what-is-remediation-in-cyber-security/. [Accessed 28 Apr 2022].</ref><br />
<br />
===Recommending technology, policy, governance, and training changes after security incidents===<br />
After all these actions, the SCIRT must contribute to the development<br />
of better policies, practices and has to recommend improvements. They<br />
are not working in the vacuum and their work has to create new and<br />
better standards for cyber security. <ref name="exabeam">Exabeam, "CSIRT". Available: https://www.exabeam.com/incident-response/csirt/ [Accessed 28 APr 2022].</ref><br />
<br />
==CERT==<br />
<p>The term “computer emergency response team” was coined in 1988. In<br />
response to the Morris worm attack that impacted thousands of servers on<br />
the Internet, DARPA funded the formation of the Computer Emergency<br />
Response Team Coordination Center (CERT-CC) at Carnegie Mellon<br />
University. The goal of CERT-CC was to help protect the internet by<br />
collecting and disseminating information on critical security<br />
vulnerabilities. Several other countries formed similar centers using<br />
the same acronym (despite threats of legal action by Carnegie Mellon for<br />
trademark infringement). Now the term CERT refers to any emergency<br />
response team that deals with cyber threats. Many people use CERT-CC<br />
interchangeably with CSIRT, though the charter of a CERT is information<br />
sharing in order to help other response teams respond to threats against<br />
their own infrastructure.</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<p>In general, the designation of CERT is helpful in applying real-world<br />
solutions to various cybersecurity problems. They may be government<br />
contractors or employees of a major corporation. For example, the U.S.<br />
Computer Emergency Readiness Team (US-CERT) operates under the U.S.<br />
Department of Homeland Security.</p><br />
<p>https://www.techopedia.com/definition/31003/computer-emergency-response-team-cert</p><br />
<p>In Estonia CERT is designated as CERT-EE. It was established in 2006,<br />
as an organization responsible for the management of security incidents<br />
in .ee computer networks. It is also a national contact point for<br />
international co-operation in the field of IT security.</p><br />
<p>https://www.ria.ee/en/cyber-security/cert-ee.html</p><br />
===Difference between SOC/CSIRT/CERT===<br />
<p>How CSIRTs differ from CERTs and SOCs There are overlapping<br />
responsibilities between a community emergency response team (CERT),<br />
computer security incident response team (CSIRT), and security<br />
operations center (SOC). To add to this confusion, frequently, the terms<br />
CERT and CSIRT are used interchangeably, despite the important<br />
differences.</p><br />
<figure><br />
<img src="images/image3.png" alt="Overlapping in images/image3.png" /><br />
<figcaption aria-hidden="true">Overlapping in<br />
images/image3.png</figcaption><br />
</figure><br />
==Understand the primary roles and characteristics of a CERT, CSIRT, and SOC.==<br />
<p>So, using strict definitions, a CERT collects and disseminates<br />
security information, typically for the benefit of a country or an<br />
industry. A CSIRT is a cross-functional team that responds to incidents<br />
on behalf of a country or an organization. A SOC is where a country or<br />
organization monitors and defends its network, servers, applications,<br />
and endpoints.</p><br />
<figure><br />
<img src="images/image4.png" alt="table of explanation images/image4" /><br />
<figcaption aria-hidden="true">table of explanation<br />
images/image4</figcaption><br />
</figure><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
==Future==<br />
<p>And the Cyber security problem is only getting bigger. According to a<br />
report published by Accenture, the number of cyber security breaches<br />
increased by 11 percent from 2017 to 2018. The cost of such breaches is<br />
astronomical–about $600 billion worldwide, according to the Economic<br />
Impact of Cybercrime report.</p><br />
<p>https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me</p><br />
<p>Job projections for cybersecurity are staggering. The Bureau of Labor<br />
Statistics in US predicts that careers in the cybersecurity field will<br />
grow by 32% by 2028. That makes cybersecurity one of the top 10<br />
fastest-growing jobs in the country. In the United States alone, jobs<br />
for Information Security Analysts are expected to grow by 15% by<br />
2024.</p><br />
<p>https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</p><br />
<p>Most likely this trend is also similar in other countries.</p><br />
<p>When checking Estonian job portals, there is a constant need for<br />
people for cyber security related positions. Also, linkedin search gives<br />
approximately 30 vacancies immediately. There are banks, logistics<br />
companies, e-shops, and software producers.</p><br />
<p>https://ee.linkedin.com/jobs/cyber-security-jobs?countryRedirected=1&amp;position=1&amp;pageNum=0</p><br />
<p>Trends that affect companies create need for constant cyber security<br />
services. Increasing number of home/remote offices require secure<br />
corporate networks and security of remote devices. One example is from<br />
this year, when sloppy remote desktop set-up paralyzed systems of 17<br />
companies.</p><br />
<p>https://www.aripaev.ee/uudised/2022/04/20/ria-lohakas-kaugtoolaua-seadistus-halvas-martsis-vahemalt-17-juhul-ettevotete-it-susteemid</p><br />
<p>Also, no service can exists without robust infrastructure - servers,<br />
databases, applications. As all previously mentioned devices and<br />
services are at constant scanning and surveillance. So, the breach<br />
detection and immediate action demands 24/7 services. Even if lot of<br />
things could be automated, there is a need for human specialists (at<br />
least, at the moment). Third growing field is also a forensic<br />
investigation, as every attack must be investigated in order to be ready<br />
to repel next attacks. So data recovery and evidence collection is<br />
another important field of work that need skilled and professional<br />
workers.</p><br />
<p>Even, if the specifics of the entity, be it CSIRT, CERT or SOC, are<br />
different, the fundamentals of the work are the same. Professional<br />
knowledge of the networks, operational systems, hardware, scripting, and<br />
several other wider IT related knowledge is needed. As there is no<br />
single way to reach to it, every single person can find one’s strongest<br />
sides and develop them with knowledge of weaker side, in order to know,<br />
when to as for help.</p><br />
<br />
</body><br />
</html></div>Mavaldhttps://wiki.itcollege.ee/index.php?title=Hiring_a_Cyber_Security_Incident_Analyst&diff=142194Hiring a Cyber Security Incident Analyst2022-05-01T15:10:06Z<p>Mavald: /* Senior-Level Incident Response Positions */</p>
<hr />
<div>==A Cyber Security Incident Analyst==<br />
<br />
[[File:image1.png|600px|thumb|Job advertisement <ref>"Job Advertisement". Available at https://www.projectpeople.com/jobs/</ref>]]<br />
===Cyber security incident analyst in SOC/CSIRT/CERT===<br />
This article delves into the job title of Cyber Security Incident<br />
Analyst and provides an overview of the acronyms SOC/CSIRT/CERT. A brief<br />
history of the job is discussed here, as well as a possible career path,<br />
education, experience, and other characteristics required for work in<br />
computer security-related organizations. The article also provides a<br />
brief history of SOC/CSIRT/CERT, as well as a comparison of their<br />
differences and similarities.<br />
===Cyber Security Incident Analyst Skill Set===<br />
What skill set is expected from the Cyber Security Incident Analyst? Below written lines are taken from the same job advertisement depicted<br />
on the left side of this article:<br />
As a Security Incident Analyst your responsibilities will include:<br />
<ul><br />
<li>Continuous monitoring of security tooling</li><br />
<li>Performing regular and ad-hoc vulnerability assessments</li><br />
<li>Carrying out ‘spot checks’</li><br />
<li>Reporting vulnerabilities to the PVG via the alerts system</li><br />
<li>Maintaining and documenting logging systems</li><br />
<li>Developing centralized logging, reporting and intelligence<br />
platforms</li><br />
<li>‘Light touch’ penetration testing with open source tooling<br />
(Metasploit)</li><br />
</ul><br />
Knowledge &amp; Experience required:<br />
<ul><br />
<li>SOC, CSIRT or CERT operational environment experience</li><br />
<li>Windows / Linux experience</li><br />
<li>TCP /IP networking protocol knowledge</li><br />
<li>Experience reviewing and analyzing Security Events from various<br />
monitoring and logging sources</li><br />
<li>Experience in website and web application security assessment or<br />
penetration testing</li><br />
<li>Experience of using Metasploit</li><br />
<li>Scripting knowledge using BASH, Python, Perl, Ruby</li><br />
<li>Skills in Host and Network Forensics</li><br />
</ul><br />
As one can see the description of the duties is wide and also the<br />
knowledge and experience that is required is noteworthy. So, where to<br />
start to find out the way to get this kind of knowledge and<br />
expertize.<br />
===Possible career path===<br />
Next part of the paper is aiming to depict a possible ways, how to<br />
develop oneself, and move along the career pathway in cybersecurity<br />
field. Topics of development, education, experience and certification<br />
are covered.<br />
[[File:analystimage2.png|1000px|thumb|Career path <ref>"Possible Career Path". Available at https://www.cyberseek.org/pathway.html</ref>]]<br />
<br />
===Junior/Senior===<br />
Start with an entry-level job in IT. Hands-on experience is often the<br />
most effective way to prepare for certification exams. Start<br />
accumulating work experience with an entry-level role as a cybersecurity<br />
analyst. Many cybersecurity professionals start off in more general IT<br />
roles. The skills, practices, and technologies you’ll use as a<br />
cybersecurity professional will continue to evolve along with computer<br />
and network technology. The desire to learn, ability to problem solve,<br />
and attention to detail will serve you well in this field. Other, more<br />
technical skills and technologies to learn include:<ref name="certification">Popular Cyber Security Certificates [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications [Accessed 25 April 2022].</ref><br />
<br />
====SIEM tools (security information and event management)====<br />
Security Information and Event Management (SIEM) is a set of tools<br />
and services offering a holistic view of an organization’s information<br />
security. SIEM works by combining two technologies:<br />
<li>Security information management (SIM), which collects data from log<br />
files for analysis and reports on security threats and events, and</li><br />
<li>security event management (SEM), which conducts real-time system<br />
monitoring, notifies network admins about important issues and<br />
establishes correlations between security events. There are a number of<br />
security information and event management solutions on the market.<br />
ArcSight ESM, IBM QRadar and Splunk are among the most popular. <ref name="SIEM">Application security, SIEM [Online]. Available: https://www.imperva.com/learn/application-security/siem/. [Accessed 27 4 2022].</ref></li><br />
<br />
====Firewalls, Intrusion Detection Systems (IDS), and Intrusion Prevention Systems(IPS)====<br />
Firewalls can be two types, hardware and software firewalls. Software<br />
firewall is a firewall that is installed on a computer or server, and<br />
tasked with network security. It works with a wide variety of other<br />
technology security solutions to provide more robust and cohesive<br />
security for enterprises of all sizes. When a software firewall is<br />
installed on a server, it opens up like an umbrella of protection over<br />
all other computers connected to the network. It is able to monitor both<br />
incoming and outgoing traffic for potential risk or suspicious user<br />
behavior, and also makes setting security policies much easier, faster<br />
and more flexible. Hardware firewall is positioned between the network<br />
and devices, allowing traffic to funnel through the firewall for a close<br />
inspection and analysis. A hardware firewall, a term often<br />
interchangeable with network or next-generation firewall, protects the<br />
network gateways for an enterprise. Hardware firewall is physical<br />
hardware, installed between network elements and connected devices, and<br />
is tasked with filtering traffic for cyber threat to the network or<br />
devices. Filtering out unauthorized or suspicious users based on traffic<br />
analysis is one of the biggest benefits of hardware firewall. <ref name="sangfor">Sangfor, "What is Software Firewall? Difference between Hardware Firewall and Software Firewall, [Online]. Available: https://www.sangfor.com/blog/cybersecurity/what-is-software-firewall-difference-between-hardware-firewall-and-software-firewall [Accessed 26 4 2022].</ref><br />
<br />
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems<br />
(IPS) are both parts of the network infrastructure. IDS/IPS compare<br />
network packets to a cyberthreat database containing known signatures of<br />
cyberattacks — and flag any matching packets. IDS doesn’t alter the<br />
network packets in any way, whereas IPS prevents the packet from<br />
delivery based on the contents of the packet, much like how a firewall<br />
prevents traffic by IP address. <ref name="Varonis">Varonis, "What is Software Firewall? IDS vs. IPS: What is the Difference?, [Online]. Available: https://www.varonis.com/blog/ids-vs-ips [Accessed 26 4 2022].</ref><br />
<br />
====Digital forensics====<br />
Digital forensics is a branch of forensic science that focuses on<br />
identifying, acquiring, processing, analyzing, and reporting on data<br />
stored electronically. Electronic evidence is a component of almost all<br />
criminal activities and digital forensics support is crucial for law<br />
enforcement investigations. Electronic evidence can be collected from a<br />
wide array of sources, such as computers, smartphones, remote storage,<br />
unmanned aerial systems, shipborne equipment, and more.<ref name="interpol">Interpol, "Digital forensics". Available: https://www.interpol.int/How-we-work/Innovation/Digital-forensics. [Accessed 28 4 2022].</ref> <br />
Investigative process of digital forensics can be divided into several stages. There are four major stages: preservation, collection,<br />
examination, and analysis. All these four stages need a deep understanding of computers, technology across a broad spectrum, and cybersecurity principles and<br />
practices, a working knowledge of computers, networks, and coding, in-depth investigative abilities, critical-thinking skills and analytical talent the ability to effectively communicate and work with a<br />
wide range of people. <ref name="ecpi">"Digital forensics". Available: https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me. [Accessed 26 4 2022].</ref><br />
<br />
====Mobile device management====<br />
Mobile device management (MDM) is software that allows IT<br />
administrators to control, secure and enforce policies on smartphones,<br />
tablets and other endpoints. Mobile device management software emerged<br />
in the early 2000s as a way to control and secure the personal digital<br />
assistants and smartphones that business workers began to use. The<br />
consumer smartphone boom that started with the launch of the Apple<br />
iPhone in 2007 led to the bring your own device (BYOD) trend, which<br />
fueled further interest in MDM.<ref name="techtarget">Techtarget, "Mobile Device Management". Available: https://www.techtarget.com/searchmobilecomputing/definition/mobile-device-management [Accessed 27 4 2022].</ref><br />
<br />
====Data management====<br />
Sometimes the data management is neglected, but this part has a<br />
crucial role when learning for good cyber security practices. Majority<br />
of cyber security programs include a special courses on data management.<br />
Data management is a method of organizing and maintaining data processes<br />
that are required in almost every business operations. The benefits of<br />
data management can be found accounting, statistics, logistics planning<br />
and other disciplines including corporate computing.<ref name="GlobalUni">Global Universities, "MSc Data Management and Cyber Security". Available: https://globaluniversities.in/msc-data-management-cyber-security. [Accessed 26 Apr 2022].</ref><br />
Data governance (and management) play a fundamental role in<br />
protecting an organization’s data. Ensuring that the right people have<br />
the right access and that appropriate security controls are in place to<br />
protect each system or service, based on the criticality or sensitivity<br />
of the data sets these contain. <ref name="CyberMagazine">Cyber Security Magazine, "The Role of Data Governance in Cybersecurity". Available: https://cybersecurity-magazine.com/the-role-of-data-governance-in-cybersecurity/?utm_source=rss&amp;utm_medium=rss&amp;utm_campaign=the-role-of-data-governance-in-cybersecurity. [Accessed 26 Apr 2022].</ref><br />
<br />
====Application security development====<br />
Application security describes security measures at the application<br />
level that aim to prevent data or code within the app from being stolen<br />
or hijacked. It encompasses the security considerations that happen<br />
during application development and design, but it also involves systems<br />
and approaches to protect apps after they get deployed. Application<br />
security may include hardware, software, and procedures that identify or<br />
minimize security vulnerabilities.<ref name="vmware">VmWare, "What is application security?". Available: https://www.vmware.com/topics/glossary/content/application-security.html [Accessed 28 April 2022].</ref><br />
Application security development is important to ensure that your<br />
application is free from coding errors and bugs. And controls the risk<br />
and helps safeguard against security vulnerabilities. Application<br />
security development is the process of making applications more secure<br />
by finding and fixing security vulnerabilities. This is often done by<br />
enforcing software security best practices and using application<br />
security testing tools. <br />
<ref name="perforce">Perforce, "Application Security Development Best Practices". Available: https://www.perforce.com/blog/kw/application-security-development-best-practices. [Accessed 28 April 2022].</ref><br />
<br />
====Audit and compliance knowledge====<br />
A cyber security audit is designed to be a comprehensive review and<br />
analysis of your business’s IT infrastructure. It identifies threats and<br />
vulnerabilities, exposing weaknesses and high-risk practices.<br />
Regulations such as the EU GDPR (General Data Protection Regulation) can<br />
impose hefty penalties in the event of a breach that results in<br />
exploited data. A cyber security audit will help mitigate the<br />
consequences of a breach and demonstrate that your organization has<br />
taken the necessary steps to protect client and company data. <ref name="cyforsecure">Cyfor Secure, "What is a Cyber Security Audit and how can it help your organisation?". Available: https://cyforsecure.co.uk/services/cyber-assessment/cyber-security-audit/. [Accessed 28 April 2022].</ref><br />
<br />
Cybersecurity compliance is the organizational risk management method<br />
aligned with pre-defined security measures &amp; controls on how data<br />
confidentiality is ensured by its administrative procedures.<ref name="nordlayer">NordLayer, "Cybersecurity compliance: Everything you need to know". Available: https://nordlayer.com/blog/cybersecurity-compliance-everything-you-need-to-know/. [Accessed 28 April 2022].</ref><br />
All needed skills are developed through courses and certification.<br />
<br />
===Entry-Level Incident Response Positions===<br />
It is not always possible to advance to the position of incident<br />
responder in a straight line. Many professionals advance from entry- to<br />
mid-level positions before becoming a real incident responder or a<br />
member of a computer emergency response team (CERT).<br /><br />
These are some examples:</p><br />
<ul><br />
<li><h5 id="network-administrator">Network administrator</h5><br />
<p>This position’s experience will help potential incident responders<br />
develop networking skills. Attention to detail, as well as the ability<br />
to sift through system configurations, site layouts, and general network<br />
and communication setups, are essential in this field.</p></li><br />
<li><h5 id="system-administrator">System administrator</h5><br />
<p>Another crucial beginning point for an incident responder is to learn<br />
how to manage resources inside your organization as well as user<br />
behavior. Understanding the potential damage that users, inadequate<br />
security setups, and ineffective IT policies and procedures can cause on<br />
your network can provide prospective candidates with insight into the<br />
human component of an incident.</p></li><br />
<li><h5 id="security-administrator">Security administrator</h5><br />
<p>In such a position, basic hacking skills, penetration testing, and<br />
intrusion detection are all learned, which are crucial incident<br />
responder skills when trying to replicate a breach or attack.<br />
Understanding the paths a cybercriminal will take when attempting to<br />
damage or obtain access to a system can greatly simplify the work of<br />
reverse engineering the incident.</p></li><br />
</ul><br />
<p>https://resources.infosecinstitute.com/topic/incident-responder-career-roadmap-entry-level-executive/</p><br />
=== Mid-Level Incident Response Positions ===<br />
<ul><br />
<li><h5<br />
id="computer-security-incident-response-team-csirt-engineer">Computer<br />
security incident response team (CSIRT) engineer</h5></li><br />
<li><h5 id="cyber-incident-responder">Cyber incident responder</h5></li><br />
<li><h5 id="incident-response-engineer">Incident response<br />
engineer</h5></li><br />
</ul><br />
<p>While each of these positions is different, they generally require<br />
very similar skills and characteristics in a candidate. At this level,<br />
personal characteristics such as problem solving, time management, and<br />
even presentation skills become more crucial as one’s career evolves<br />
into a management-facing role.</p><br />
<p>Technical skills include the ability to identify and minimize threats<br />
while maintaining communication with management and the rest of your<br />
team. Data analysis and evidence gathering become increasingly crucial,<br />
and the circumstances in which your services are deployed get more<br />
serious.</p><br />
Problem-solving skills are crucial at this level of incident<br />
response, and as the stakes rise, so does the pressure in each<br />
situation. At this level, programming abilities are essential since<br />
incident responders may be needed to reverse engineer malicious code or<br />
even create patches for vulnerable network applications or services. <ref name="coursera">Coursera, "10 Popular Cybersecurity Certifications [2022 Updated]". Available: https://www.coursera.org/articles/popular-cybersecurity-certifications [Accessed 28 April 2022].</ref><br />
<br />
===Senior-Level Incident Response Positions===<br />
<ul><br />
<li><h5 id="intrusion-detection-specialist">Intrusion detection<br />
specialist:</h5></li><br />
</ul><br />
<p>A CISSP certification might help a potential candidate in preparing<br />
for the profession. The role of an intrusion detection specialist is to<br />
find and stop any unwanted communications.</p><br />
<ul><br />
<li><h5 id="incident-manager">Incident manager:</h5></li><br />
</ul><br />
Expected to plan, oversee, manage, and supervise all incident<br />
response team actions. Is in charge of reporting all current events to<br />
senior management and stakeholders, as well as acting as the technical<br />
lead on active incidents for incident responders. Prepares threat and<br />
impact assessments and reports them known to management.<ref name="coursera"</ref><br />
<br />
==Certificates== <br />
There is a vast number of different certificates and the road map to<br />
being a certified professional could be very different<ref name="Coursera">Coursera, "10 Popular Cybersecurity Certifications [2022 Updated]," [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications. [Accessed 30 Apr 2022].</ref><br />
<ref name="NICCS">NICCS, "Cybersecurity Certifications," [Online]. Available: hhttps://niccs.cisa.gov/about-niccs/cybersecurity-certifications. [Accessed 30 Apr 2022].</ref> . One possible<br />
approach is to start with basic certificates from the different branches<br />
of service and move to more specific and demanding focused<br />
certification. Also, some jobs require certain clearances, either from<br />
industry, or from the government. One small selection of different<br />
possible certificates is brought out in following paragraphs.<br />
<br />
Security+ is a CompTIA certification that is considered a basic cert<br />
among cybersecurity professionals. It covers the topics of risk<br />
management and threat assessment.<br />
Network+ is also offered by CompTIA this certification (like the name<br />
implies) focuses on networking infrastructure and operations. It is<br />
considered a foundational certification.<br />
The Certified Information Systems Security Professional (CISSP) is a<br />
more advanced certification designed for cybersecurity professionals<br />
with at least five years of work experience. The certification covers<br />
topics such as architecture, engineering, and management.</p><br />
The Certified Ethical Hacker (CEH) certification is also considered a<br />
more advanced cert because it generally requires that applicants have<br />
multiple years of work experience. The goal of an ethical hacker<br />
certification is to be able to understand how cyber attacks unfold in<br />
order to improve threat assessment and mitigation skills.<ref name="cyberguide">Cybersecurity Guide, "How to become a cybersecurity specialist", [Online]. Available: https://cybersecurityguide.org/careers/security-specialist/. [Accessed 27 April 2022].</ref><br />
This is definitely not all, when one looks for more information, following link could be searched, to get more in depth knowledge about<br />
different possibilities. Hereby, with the help of this matrix a possible taxonomy of different 436 listed certificates in branches are<br />
presented.<ref name="Pauljeremy">"Cybersecurity Roadmap," [Online]. Available: https://pauljerimy.com/2020/10/12/scr-oct-2020-update/. [Accessed 30 Apr 2022].</ref><br />
<br />
[[File:analystimage5.png|1000px|thumb|Certificate matrix <ref>"Certification roadmap". Available at https://pauljerimy.com/security-certification-roadmap</ref>]]<br />
<br />
=== Communication and Network Security===<br />
Communication and network security covers the ability to secure<br />
communication channels and networks. Topics include secure and converges<br />
protocols, wireless networks, cellular networks, hardware operations<br />
(warranty and redundant power), and third-party connectivity. IP<br />
networking are also included in this domain.<br />
===Identity and Access Management===<br />
The identity and access management domain covers the attacks that<br />
target the human gateway to gain access to data. Other topics include<br />
ways to identify users with rights to access the information and<br />
servers. Identity and access management covers the topics of<br />
applications, Single sign-on authentication, privilege escalation,<br />
Kerberos, rule-based or risk-based access control, proofing and<br />
establishment of identity.<br />
===Security Architecture and Engineering===<br />
The security architecture and engineering domain covers important<br />
topics concerning security engineering plans, designs and principles,<br />
Topics include assessing and mitigating information system<br />
vulnerabilities, fundamental concepts of security models and security<br />
architectures in critical areas like access control. Cloud systems,<br />
cryptography, system infiltrations (ransomware, fault-injection and<br />
more) and virtualized systems are also covered in this domain.<br />
===Asset Security===<br />
The Asset Security domain deals with the issues related to the<br />
collection, storage, maintenance, retention and destruction of data. It<br />
also covers knowledge of different roles regarding data handling (owner,<br />
controller and custodian) as well as data protection methods and data<br />
states. Other topics include resource provision, asset classification<br />
and data lifecycle management.<br />
===Security and Risk Management===<br />
The security and risk management domain covers general on skills<br />
related to the implementation of user awareness programs as well as<br />
security procedures. Emphasis is also placed on risk management<br />
concerning the acquisition of new services, hardware and software<br />
(supply chain). Other skills include social engineering defense<br />
mechanisms.<br />
===Security Assessment and Testing===<br />
The security assessment and testing domain deals with all the<br />
techniques and tools used to find system vulnerabilities, weaknesses and<br />
potential areas of concern not addressed by security procedures and<br />
policies. Attack simulations, vulnerability assessment, compliance<br />
checks, and ethical disclosure also fall under this domain.<br />
===Software Security===<br />
The software development security domain deals with implementing<br />
software-based security protocols within environment for which the IT<br />
professional is responsible. Risk analysis, vulnerability identification<br />
and auditing of source codes are all covered in this subset. Additional<br />
topics include software-designed security, maturity models, development<br />
methodologies, open-source and third-party development security.<br />
===Security operations===<br />
The security operations domain covers topics ranging from<br />
investigations and digital forensic to detection and intrusion<br />
prevention tools, sandboxing and firewalls. Topics include user and<br />
entity behavior analytics, threat intelligence (threat hunting and<br />
threat feeds) log management, artifacts (mobile, computer and network),<br />
machine learning and AI-based tools, penetration testing, and<br />
exploitation development. These for sub-domains are lister here.</p><br />
<li>Forensics</li><br />
<li>Incident Handling</li><br />
<li>Penetration Testing</li><br />
<li>Exploitation</li><br />
<br />
==Education==<br />
<p>The entry level monitoring specialist is hired by Estonian<br />
Information System Authority even if there is no formal IT education,<br />
but readiness to learn and moderate knowledge of different operation<br />
systems is enough to start the career.</p><br />
<p>https://www.cv.ee/en/vacancy/792782/riigi-infosusteemi-amet/seirespetsialist-tule-eesti-kuberruumi-valvuriks</p><br />
<p>Nevertheless, like most other high qualification careers jobs falling<br />
under the cybersecurity specialist category require some form of formal<br />
education. However, since cybersecurity specialist jobs can fall across<br />
a wide spectrum of job descriptions and responsibilities, it is possible<br />
to obtain a specialist job after completing many levels of different<br />
computer related education.</p><br />
<p>If one is looking for a cybersecurity related education, for example<br />
in EU, 137 courses/programs could be found that relate to keyword IT or<br />
cybersecurity.</p><br />
<p>https://www.enisa.europa.eu/topics/cybersecurity-education/education-map/education-courses</p><br />
<p>Also, there is a great amount of discussion, if cuber security<br />
professional should have a degree or would be certification just enough.<br />
One interesting table is produces by Franklin University that compares<br />
benefits and/or drawbacks of each type of credential.</p><br />
<figure><br />
<img src="images/image11.png" alt="Comparison MSc vs certificate" /><br />
<figcaption aria-hidden="true">Comparison MSc vs<br />
certificate</figcaption><br />
</figure><br />
<p>Certifications are generally good for people with little practical<br />
experience because they are known quantities in the industry and can<br />
help you get your foot in the door. They set a minimum knowledge bar.<br />
But some certifications are viewed more favorably than others.<br />
Certifications with renewal requirements are viewed better by hiring<br />
managers, but they also more costly in the long run because of the need<br />
for continuing education. Certifications are also good for showing<br />
in-depth expertise in a specialization within cybersecurity. Depending<br />
on your career goals, it may be advantageous to have a master’s<br />
degree—which shows your breadth of knowledge, critical thinking and<br />
leadership skills—and a certificate—which shows specific skill<br />
competency.</p><br />
<p>https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</p><br />
<p>As IT (Cyber) Security is still a relatively young discipline,<br />
universities and colleges are still figuring out which is the best<br />
approach for their degrees. Study programmes and curricula in Cyber<br />
Security are different. In general, here are the duration of Cyber<br />
Security degrees:</p><br />
<ul><br />
<li><p>Bachelor’s degrees in Cyber Security take 3 or 4 years in most<br />
countries.</p></li><br />
<li><p>Master’s courses in Cyber Security take between 1-2 years to<br />
complete.</p></li><br />
<li><p>PhD programmes in Cyber Security last 3-5 years. Some only take 1<br />
or 2 years, but they are less common.</p><br />
<p>https://www.mastersportal.com/articles/2722/why-you-should-study-a-cyber-security-degree-in-2022.html</p></li><br />
</ul><br />
<p>Generalization could me made that on bachelor level the general<br />
knowledge about the cyber issues are obtained. On master level the<br />
specialization courses are taken and the person can choose more specific<br />
topics to study. It is on master level where strengths of the cyber<br />
specialist can be developed further and up-do date knowledge obtained in<br />
specifics. PhD is serious science and involves teaching, lot of<br />
scientific work and writing for publications.</p><br />
==Salary==<br />
<p>Even if the salary can be very different, compared to the skills and<br />
experience, an generalization can be made. Cyber Security professionals<br />
in CSIRT, and in other entities earn quite well, from the start. First,<br />
some comparison from the United States. The average CSIRT analyst salary<br />
in the USA is $97,500 per year or $50 per hour. Entry level positions<br />
start at $48,875 per year while most experienced workers make up to<br />
$135,373 per year.</p><br />
<p>https://www.talent.com/salary?job=csirt+analyst</p><br />
<p>There are multiple positions you can occupy in this field. They have<br />
in common great salaries and high demand for technical skills, attention<br />
to details, problem-solving mentality, and the ability to analyze risks.<br />
Here are the average annual salaries in the United States, according to<br />
Payscale:</p><br />
<p>https://www.payscale.com/</p><br />
<ul><br />
<li><p>Cryptographer – 100,000 USD</p></li><br />
<li><p>Information Security Officer – 91,000 USD</p></li><br />
<li><p>Security Assessor – 90,000 USD</p></li><br />
<li><p>Security Engineer – 88,000 USD</p></li><br />
<li><p>Penetration Tester – 81,000 USD</p></li><br />
<li><p>Forensics Expert – 71,000 USD</p></li><br />
<li><p>Security Administrator – 65,000 USD</p><br />
<p>https://www.mastersportal.com/articles/2722/why-you-should-study-a-cyber-security-degree-in-2022.html</p><br />
<p>When looking into salaries in Estonia, one can find that there is a<br />
discussion that private sector is taking a toll from the public sector,<br />
and that the salaries in important agencies, as Information System<br />
Authority loose their employees to the better paid positions in private<br />
sector.</p><br />
<p>https://digi.geenius.ee/rubriik/uudis/kui-palju-riigi-jaoks-olulised-it-tootajad-tegelikult-palka-saavad/<br />
https://tehnika.postimees.ee/6887428/riigi-it-tootajate-palgamaarad-kasvasid</p><br />
<p>But there is also a different view that average private sector worker<br />
could be hired as a top specialist in public sector and then the payment<br />
is higher. Nevertheless, it seems that the average payment in cyber<br />
security sector is any way higher that in other parts of the<br />
e-services.</p><br />
<p>https://digi.geenius.ee/rubriik/uudis/5000-eurostest-palkadest-it-tootajad-saavadki-palju-palka/</p></li><br />
</ul><br />
==SOC==<br />
<p>A SOC is a facility where an organization’s network, applications,<br />
and endpoints are monitored and defended. The term was adapted from<br />
network operations centers (NOCs), where large telecommunication or<br />
corporate networks are monitored. When network security became more of a<br />
concern, security teams were formed within the NOCs, and eventually spun<br />
off into larger organizations of their own as the responsibilities of<br />
security teams grew increasingly complex and specialized. The security<br />
staff working in a security operations center are often called the SOC<br />
team.</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<p>Functions of the SOC team include, but are not limited to:</p><br />
<ol type="1"><br />
<li>Taking inventory of resources, to get a better understanding of the<br />
structure they are protecting.</li><br />
<li>Maintanence of the system, by constantly making updates and adding<br />
safeguards.</li><br />
<li>Monitoring the network for abnormalities with special tools.</li><br />
<li>Threat analysis of new attacks and vulnerabilities.</li><br />
<li>Responding to attacks, by acting as “first responders”. The SOC team<br />
will shut down and/or isolate endpoints, deleting files and lowering the<br />
impact as fast as possible.</li><br />
<li>Recovery of system stability and lost data. This may be done using<br />
backups, restarting endpoints or reconfiguring systems.</li><br />
<li>Logging all actions on the system, to be later used for analysis or<br />
forensics after an attack.</li><br />
<li>Investigating the root cause of an attack.</li><br />
<li>Auditing their own actions, to be in line with regulations of the<br />
organization, industry or governing body.</li><br />
</ol><br />
<p>https://www.trellix.com/en-us/security-awareness/operations/what-is-soc.html</p><br />
==CSIRT==<br />
<p>A CSIRT is a group that responds to security incidents when they<br />
occur. Key responsibilities of a CSIRT include: <br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<ul><br />
===Creating and maintaining an incident response plan (IRP)===<br />
An incident response plan (IRP) is a set of written instructions for<br />
detecting, responding to and limiting the effects of an information<br />
security event. Incident response plans provide instructions for<br />
responding to many potential scenarios, including data breaches, denial<br />
of service/distributed denial of service attacks, firewall breaches,<br />
virus or malware outbreaks or insider threats. Without an incident<br />
response plan in place, organizations may either not detect the attack<br />
in the first place, or not follow proper protocol to contain the threat<br />
and recover from it when a breach is detected.<br />
<p>https://www.stratacore.com/incidentresponseplan</p></li><br />
===Investigating and analyzing incidents===<br />
CSIRTs are also involved in improvement activities. After major<br />
computer security incidents occur, or when incidents are not handled in<br />
a timely or effective manner, a CSIRT will generally perform a<br />
postmortem of the incident and its response. This postmortem will<br />
identify the strengths and weakness of the response effort. Such reviews<br />
can identify weaknesses and holes in systems, infrastructure defenses,<br />
or policies that allowed the incident to take place. It can also<br />
identify problems with communication channels, interfaces, and<br />
procedures that inhibited the efficient resolution of the reported<br />
problem.<br />
<p>https://www.cisa.gov/uscert/bsi/articles/best-practices/incident-management/defining-computer-security-incident-response-teams</p><br />
<br />
===Managing internal communications and updates during or immediately after incidents occur===<br />
===Communicating with employees, shareholders, customers, and the press about incidents as needed===<br />
<p>There are various services within the CSIRT Services Framework that<br />
address communications, as they relate to security operations and<br />
incident response services. Some of these include Information Security<br />
Incident Coordination, Crisis Management Support, Vulnerability<br />
Disclosure, Situational Awareness Communication, and Awareness Building,<br />
to name a few. Sharing information and communicating with the general<br />
public and/or your constituency is appropriate in many different<br />
scenarios. These can range from proactive communications to reactive<br />
communications. Each scenario may be unique, and careful consideration<br />
should be given to when to release information to the public and what<br />
information should be released.</p><br />
<br />
<p>https://resources.sei.cmu.edu/asset_files/Handbook/2021_002_001_651819.pdf</p><br />
<br />
===Remediating incidents===<br />
Threat remediation is a strong and capable tool for fighting the<br />
cyber security compromises. As the word ‘remedy’ suggests, remediation<br />
process involves the treatment of a security breach. With the<br />
remediation practices, your cyber security team is able to eliminate<br />
suspicious activities and malicious attacks in the form of malware,<br />
ransomware, phishing and such. Even if you ‘kill’ the suspicious<br />
activity, the attackers can remain in your systems. If you want to<br />
contaminate and end the problem for good, your remediation processes<br />
must involve the detection of the cause. <ref name="logsign">Logsign, "What-is-remediation-in-cyber-security". Available: https://www.logsign.com/blog/what-is-remediation-in-cyber-security/. [Accessed 28 Apr 2022].</ref><br />
<br />
===Recommending technology, policy, governance, and training changes after security incidents===<br />
After all these actions, the SCIRT must contribute to the development<br />
of better policies, practices and has to recommend improvements. They<br />
are not working in the vacuum and their work has to create new and<br />
better standards for cyber security. <ref name="exabeam">Exabeam, "CSIRT". Available: https://www.exabeam.com/incident-response/csirt/ [Accessed 28 APr 2022].</ref><br />
<br />
==CERT==<br />
<p>The term “computer emergency response team” was coined in 1988. In<br />
response to the Morris worm attack that impacted thousands of servers on<br />
the Internet, DARPA funded the formation of the Computer Emergency<br />
Response Team Coordination Center (CERT-CC) at Carnegie Mellon<br />
University. The goal of CERT-CC was to help protect the internet by<br />
collecting and disseminating information on critical security<br />
vulnerabilities. Several other countries formed similar centers using<br />
the same acronym (despite threats of legal action by Carnegie Mellon for<br />
trademark infringement). Now the term CERT refers to any emergency<br />
response team that deals with cyber threats. Many people use CERT-CC<br />
interchangeably with CSIRT, though the charter of a CERT is information<br />
sharing in order to help other response teams respond to threats against<br />
their own infrastructure.</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<p>In general, the designation of CERT is helpful in applying real-world<br />
solutions to various cybersecurity problems. They may be government<br />
contractors or employees of a major corporation. For example, the U.S.<br />
Computer Emergency Readiness Team (US-CERT) operates under the U.S.<br />
Department of Homeland Security.</p><br />
<p>https://www.techopedia.com/definition/31003/computer-emergency-response-team-cert</p><br />
<p>In Estonia CERT is designated as CERT-EE. It was established in 2006,<br />
as an organization responsible for the management of security incidents<br />
in .ee computer networks. It is also a national contact point for<br />
international co-operation in the field of IT security.</p><br />
<p>https://www.ria.ee/en/cyber-security/cert-ee.html</p><br />
===Difference between SOC/CSIRT/CERT===<br />
<p>How CSIRTs differ from CERTs and SOCs There are overlapping<br />
responsibilities between a community emergency response team (CERT),<br />
computer security incident response team (CSIRT), and security<br />
operations center (SOC). To add to this confusion, frequently, the terms<br />
CERT and CSIRT are used interchangeably, despite the important<br />
differences.</p><br />
<figure><br />
<img src="images/image3.png" alt="Overlapping in images/image3.png" /><br />
<figcaption aria-hidden="true">Overlapping in<br />
images/image3.png</figcaption><br />
</figure><br />
==Understand the primary roles and characteristics of a CERT, CSIRT, and SOC.==<br />
<p>So, using strict definitions, a CERT collects and disseminates<br />
security information, typically for the benefit of a country or an<br />
industry. A CSIRT is a cross-functional team that responds to incidents<br />
on behalf of a country or an organization. A SOC is where a country or<br />
organization monitors and defends its network, servers, applications,<br />
and endpoints.</p><br />
<figure><br />
<img src="images/image4.png" alt="table of explanation images/image4" /><br />
<figcaption aria-hidden="true">table of explanation<br />
images/image4</figcaption><br />
</figure><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
==Future==<br />
<p>And the Cyber security problem is only getting bigger. According to a<br />
report published by Accenture, the number of cyber security breaches<br />
increased by 11 percent from 2017 to 2018. The cost of such breaches is<br />
astronomical–about $600 billion worldwide, according to the Economic<br />
Impact of Cybercrime report.</p><br />
<p>https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me</p><br />
<p>Job projections for cybersecurity are staggering. The Bureau of Labor<br />
Statistics in US predicts that careers in the cybersecurity field will<br />
grow by 32% by 2028. That makes cybersecurity one of the top 10<br />
fastest-growing jobs in the country. In the United States alone, jobs<br />
for Information Security Analysts are expected to grow by 15% by<br />
2024.</p><br />
<p>https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</p><br />
<p>Most likely this trend is also similar in other countries.</p><br />
<p>When checking Estonian job portals, there is a constant need for<br />
people for cyber security related positions. Also, linkedin search gives<br />
approximately 30 vacancies immediately. There are banks, logistics<br />
companies, e-shops, and software producers.</p><br />
<p>https://ee.linkedin.com/jobs/cyber-security-jobs?countryRedirected=1&amp;position=1&amp;pageNum=0</p><br />
<p>Trends that affect companies create need for constant cyber security<br />
services. Increasing number of home/remote offices require secure<br />
corporate networks and security of remote devices. One example is from<br />
this year, when sloppy remote desktop set-up paralyzed systems of 17<br />
companies.</p><br />
<p>https://www.aripaev.ee/uudised/2022/04/20/ria-lohakas-kaugtoolaua-seadistus-halvas-martsis-vahemalt-17-juhul-ettevotete-it-susteemid</p><br />
<p>Also, no service can exists without robust infrastructure - servers,<br />
databases, applications. As all previously mentioned devices and<br />
services are at constant scanning and surveillance. So, the breach<br />
detection and immediate action demands 24/7 services. Even if lot of<br />
things could be automated, there is a need for human specialists (at<br />
least, at the moment). Third growing field is also a forensic<br />
investigation, as every attack must be investigated in order to be ready<br />
to repel next attacks. So data recovery and evidence collection is<br />
another important field of work that need skilled and professional<br />
workers.</p><br />
<p>Even, if the specifics of the entity, be it CSIRT, CERT or SOC, are<br />
different, the fundamentals of the work are the same. Professional<br />
knowledge of the networks, operational systems, hardware, scripting, and<br />
several other wider IT related knowledge is needed. As there is no<br />
single way to reach to it, every single person can find one’s strongest<br />
sides and develop them with knowledge of weaker side, in order to know,<br />
when to as for help.</p><br />
<br />
</body><br />
</html></div>Mavaldhttps://wiki.itcollege.ee/index.php?title=Hiring_a_Cyber_Security_Incident_Analyst&diff=142193Hiring a Cyber Security Incident Analyst2022-05-01T15:09:09Z<p>Mavald: /* Entry-Level Incident Response Positions */</p>
<hr />
<div>==A Cyber Security Incident Analyst==<br />
<br />
[[File:image1.png|600px|thumb|Job advertisement <ref>"Job Advertisement". Available at https://www.projectpeople.com/jobs/</ref>]]<br />
===Cyber security incident analyst in SOC/CSIRT/CERT===<br />
This article delves into the job title of Cyber Security Incident<br />
Analyst and provides an overview of the acronyms SOC/CSIRT/CERT. A brief<br />
history of the job is discussed here, as well as a possible career path,<br />
education, experience, and other characteristics required for work in<br />
computer security-related organizations. The article also provides a<br />
brief history of SOC/CSIRT/CERT, as well as a comparison of their<br />
differences and similarities.<br />
===Cyber Security Incident Analyst Skill Set===<br />
What skill set is expected from the Cyber Security Incident Analyst? Below written lines are taken from the same job advertisement depicted<br />
on the left side of this article:<br />
As a Security Incident Analyst your responsibilities will include:<br />
<ul><br />
<li>Continuous monitoring of security tooling</li><br />
<li>Performing regular and ad-hoc vulnerability assessments</li><br />
<li>Carrying out ‘spot checks’</li><br />
<li>Reporting vulnerabilities to the PVG via the alerts system</li><br />
<li>Maintaining and documenting logging systems</li><br />
<li>Developing centralized logging, reporting and intelligence<br />
platforms</li><br />
<li>‘Light touch’ penetration testing with open source tooling<br />
(Metasploit)</li><br />
</ul><br />
Knowledge &amp; Experience required:<br />
<ul><br />
<li>SOC, CSIRT or CERT operational environment experience</li><br />
<li>Windows / Linux experience</li><br />
<li>TCP /IP networking protocol knowledge</li><br />
<li>Experience reviewing and analyzing Security Events from various<br />
monitoring and logging sources</li><br />
<li>Experience in website and web application security assessment or<br />
penetration testing</li><br />
<li>Experience of using Metasploit</li><br />
<li>Scripting knowledge using BASH, Python, Perl, Ruby</li><br />
<li>Skills in Host and Network Forensics</li><br />
</ul><br />
As one can see the description of the duties is wide and also the<br />
knowledge and experience that is required is noteworthy. So, where to<br />
start to find out the way to get this kind of knowledge and<br />
expertize.<br />
===Possible career path===<br />
Next part of the paper is aiming to depict a possible ways, how to<br />
develop oneself, and move along the career pathway in cybersecurity<br />
field. Topics of development, education, experience and certification<br />
are covered.<br />
[[File:analystimage2.png|1000px|thumb|Career path <ref>"Possible Career Path". Available at https://www.cyberseek.org/pathway.html</ref>]]<br />
<br />
===Junior/Senior===<br />
Start with an entry-level job in IT. Hands-on experience is often the<br />
most effective way to prepare for certification exams. Start<br />
accumulating work experience with an entry-level role as a cybersecurity<br />
analyst. Many cybersecurity professionals start off in more general IT<br />
roles. The skills, practices, and technologies you’ll use as a<br />
cybersecurity professional will continue to evolve along with computer<br />
and network technology. The desire to learn, ability to problem solve,<br />
and attention to detail will serve you well in this field. Other, more<br />
technical skills and technologies to learn include:<ref name="certification">Popular Cyber Security Certificates [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications [Accessed 25 April 2022].</ref><br />
<br />
====SIEM tools (security information and event management)====<br />
Security Information and Event Management (SIEM) is a set of tools<br />
and services offering a holistic view of an organization’s information<br />
security. SIEM works by combining two technologies:<br />
<li>Security information management (SIM), which collects data from log<br />
files for analysis and reports on security threats and events, and</li><br />
<li>security event management (SEM), which conducts real-time system<br />
monitoring, notifies network admins about important issues and<br />
establishes correlations between security events. There are a number of<br />
security information and event management solutions on the market.<br />
ArcSight ESM, IBM QRadar and Splunk are among the most popular. <ref name="SIEM">Application security, SIEM [Online]. Available: https://www.imperva.com/learn/application-security/siem/. [Accessed 27 4 2022].</ref></li><br />
<br />
====Firewalls, Intrusion Detection Systems (IDS), and Intrusion Prevention Systems(IPS)====<br />
Firewalls can be two types, hardware and software firewalls. Software<br />
firewall is a firewall that is installed on a computer or server, and<br />
tasked with network security. It works with a wide variety of other<br />
technology security solutions to provide more robust and cohesive<br />
security for enterprises of all sizes. When a software firewall is<br />
installed on a server, it opens up like an umbrella of protection over<br />
all other computers connected to the network. It is able to monitor both<br />
incoming and outgoing traffic for potential risk or suspicious user<br />
behavior, and also makes setting security policies much easier, faster<br />
and more flexible. Hardware firewall is positioned between the network<br />
and devices, allowing traffic to funnel through the firewall for a close<br />
inspection and analysis. A hardware firewall, a term often<br />
interchangeable with network or next-generation firewall, protects the<br />
network gateways for an enterprise. Hardware firewall is physical<br />
hardware, installed between network elements and connected devices, and<br />
is tasked with filtering traffic for cyber threat to the network or<br />
devices. Filtering out unauthorized or suspicious users based on traffic<br />
analysis is one of the biggest benefits of hardware firewall. <ref name="sangfor">Sangfor, "What is Software Firewall? Difference between Hardware Firewall and Software Firewall, [Online]. Available: https://www.sangfor.com/blog/cybersecurity/what-is-software-firewall-difference-between-hardware-firewall-and-software-firewall [Accessed 26 4 2022].</ref><br />
<br />
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems<br />
(IPS) are both parts of the network infrastructure. IDS/IPS compare<br />
network packets to a cyberthreat database containing known signatures of<br />
cyberattacks — and flag any matching packets. IDS doesn’t alter the<br />
network packets in any way, whereas IPS prevents the packet from<br />
delivery based on the contents of the packet, much like how a firewall<br />
prevents traffic by IP address. <ref name="Varonis">Varonis, "What is Software Firewall? IDS vs. IPS: What is the Difference?, [Online]. Available: https://www.varonis.com/blog/ids-vs-ips [Accessed 26 4 2022].</ref><br />
<br />
====Digital forensics====<br />
Digital forensics is a branch of forensic science that focuses on<br />
identifying, acquiring, processing, analyzing, and reporting on data<br />
stored electronically. Electronic evidence is a component of almost all<br />
criminal activities and digital forensics support is crucial for law<br />
enforcement investigations. Electronic evidence can be collected from a<br />
wide array of sources, such as computers, smartphones, remote storage,<br />
unmanned aerial systems, shipborne equipment, and more.<ref name="interpol">Interpol, "Digital forensics". Available: https://www.interpol.int/How-we-work/Innovation/Digital-forensics. [Accessed 28 4 2022].</ref> <br />
Investigative process of digital forensics can be divided into several stages. There are four major stages: preservation, collection,<br />
examination, and analysis. All these four stages need a deep understanding of computers, technology across a broad spectrum, and cybersecurity principles and<br />
practices, a working knowledge of computers, networks, and coding, in-depth investigative abilities, critical-thinking skills and analytical talent the ability to effectively communicate and work with a<br />
wide range of people. <ref name="ecpi">"Digital forensics". Available: https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me. [Accessed 26 4 2022].</ref><br />
<br />
====Mobile device management====<br />
Mobile device management (MDM) is software that allows IT<br />
administrators to control, secure and enforce policies on smartphones,<br />
tablets and other endpoints. Mobile device management software emerged<br />
in the early 2000s as a way to control and secure the personal digital<br />
assistants and smartphones that business workers began to use. The<br />
consumer smartphone boom that started with the launch of the Apple<br />
iPhone in 2007 led to the bring your own device (BYOD) trend, which<br />
fueled further interest in MDM.<ref name="techtarget">Techtarget, "Mobile Device Management". Available: https://www.techtarget.com/searchmobilecomputing/definition/mobile-device-management [Accessed 27 4 2022].</ref><br />
<br />
====Data management====<br />
Sometimes the data management is neglected, but this part has a<br />
crucial role when learning for good cyber security practices. Majority<br />
of cyber security programs include a special courses on data management.<br />
Data management is a method of organizing and maintaining data processes<br />
that are required in almost every business operations. The benefits of<br />
data management can be found accounting, statistics, logistics planning<br />
and other disciplines including corporate computing.<ref name="GlobalUni">Global Universities, "MSc Data Management and Cyber Security". Available: https://globaluniversities.in/msc-data-management-cyber-security. [Accessed 26 Apr 2022].</ref><br />
Data governance (and management) play a fundamental role in<br />
protecting an organization’s data. Ensuring that the right people have<br />
the right access and that appropriate security controls are in place to<br />
protect each system or service, based on the criticality or sensitivity<br />
of the data sets these contain. <ref name="CyberMagazine">Cyber Security Magazine, "The Role of Data Governance in Cybersecurity". Available: https://cybersecurity-magazine.com/the-role-of-data-governance-in-cybersecurity/?utm_source=rss&amp;utm_medium=rss&amp;utm_campaign=the-role-of-data-governance-in-cybersecurity. [Accessed 26 Apr 2022].</ref><br />
<br />
====Application security development====<br />
Application security describes security measures at the application<br />
level that aim to prevent data or code within the app from being stolen<br />
or hijacked. It encompasses the security considerations that happen<br />
during application development and design, but it also involves systems<br />
and approaches to protect apps after they get deployed. Application<br />
security may include hardware, software, and procedures that identify or<br />
minimize security vulnerabilities.<ref name="vmware">VmWare, "What is application security?". Available: https://www.vmware.com/topics/glossary/content/application-security.html [Accessed 28 April 2022].</ref><br />
Application security development is important to ensure that your<br />
application is free from coding errors and bugs. And controls the risk<br />
and helps safeguard against security vulnerabilities. Application<br />
security development is the process of making applications more secure<br />
by finding and fixing security vulnerabilities. This is often done by<br />
enforcing software security best practices and using application<br />
security testing tools. <br />
<ref name="perforce">Perforce, "Application Security Development Best Practices". Available: https://www.perforce.com/blog/kw/application-security-development-best-practices. [Accessed 28 April 2022].</ref><br />
<br />
====Audit and compliance knowledge====<br />
A cyber security audit is designed to be a comprehensive review and<br />
analysis of your business’s IT infrastructure. It identifies threats and<br />
vulnerabilities, exposing weaknesses and high-risk practices.<br />
Regulations such as the EU GDPR (General Data Protection Regulation) can<br />
impose hefty penalties in the event of a breach that results in<br />
exploited data. A cyber security audit will help mitigate the<br />
consequences of a breach and demonstrate that your organization has<br />
taken the necessary steps to protect client and company data. <ref name="cyforsecure">Cyfor Secure, "What is a Cyber Security Audit and how can it help your organisation?". Available: https://cyforsecure.co.uk/services/cyber-assessment/cyber-security-audit/. [Accessed 28 April 2022].</ref><br />
<br />
Cybersecurity compliance is the organizational risk management method<br />
aligned with pre-defined security measures &amp; controls on how data<br />
confidentiality is ensured by its administrative procedures.<ref name="nordlayer">NordLayer, "Cybersecurity compliance: Everything you need to know". Available: https://nordlayer.com/blog/cybersecurity-compliance-everything-you-need-to-know/. [Accessed 28 April 2022].</ref><br />
All needed skills are developed through courses and certification.<br />
<br />
===Entry-Level Incident Response Positions===<br />
It is not always possible to advance to the position of incident<br />
responder in a straight line. Many professionals advance from entry- to<br />
mid-level positions before becoming a real incident responder or a<br />
member of a computer emergency response team (CERT).<br /><br />
These are some examples:</p><br />
<ul><br />
<li><h5 id="network-administrator">Network administrator</h5><br />
<p>This position’s experience will help potential incident responders<br />
develop networking skills. Attention to detail, as well as the ability<br />
to sift through system configurations, site layouts, and general network<br />
and communication setups, are essential in this field.</p></li><br />
<li><h5 id="system-administrator">System administrator</h5><br />
<p>Another crucial beginning point for an incident responder is to learn<br />
how to manage resources inside your organization as well as user<br />
behavior. Understanding the potential damage that users, inadequate<br />
security setups, and ineffective IT policies and procedures can cause on<br />
your network can provide prospective candidates with insight into the<br />
human component of an incident.</p></li><br />
<li><h5 id="security-administrator">Security administrator</h5><br />
<p>In such a position, basic hacking skills, penetration testing, and<br />
intrusion detection are all learned, which are crucial incident<br />
responder skills when trying to replicate a breach or attack.<br />
Understanding the paths a cybercriminal will take when attempting to<br />
damage or obtain access to a system can greatly simplify the work of<br />
reverse engineering the incident.</p></li><br />
</ul><br />
<p>https://resources.infosecinstitute.com/topic/incident-responder-career-roadmap-entry-level-executive/</p><br />
=== Mid-Level Incident Response Positions ===<br />
<ul><br />
<li><h5<br />
id="computer-security-incident-response-team-csirt-engineer">Computer<br />
security incident response team (CSIRT) engineer</h5></li><br />
<li><h5 id="cyber-incident-responder">Cyber incident responder</h5></li><br />
<li><h5 id="incident-response-engineer">Incident response<br />
engineer</h5></li><br />
</ul><br />
<p>While each of these positions is different, they generally require<br />
very similar skills and characteristics in a candidate. At this level,<br />
personal characteristics such as problem solving, time management, and<br />
even presentation skills become more crucial as one’s career evolves<br />
into a management-facing role.</p><br />
<p>Technical skills include the ability to identify and minimize threats<br />
while maintaining communication with management and the rest of your<br />
team. Data analysis and evidence gathering become increasingly crucial,<br />
and the circumstances in which your services are deployed get more<br />
serious.</p><br />
Problem-solving skills are crucial at this level of incident<br />
response, and as the stakes rise, so does the pressure in each<br />
situation. At this level, programming abilities are essential since<br />
incident responders may be needed to reverse engineer malicious code or<br />
even create patches for vulnerable network applications or services. <ref name="coursera">Coursera, "10 Popular Cybersecurity Certifications [2022 Updated]". Available: https://www.coursera.org/articles/popular-cybersecurity-certifications [Accessed 28 April 2022].</ref><br />
<br />
===Senior-Level Incident Response Positions===<br />
<ul><br />
<li><h5 id="intrusion-detection-specialist">Intrusion detection<br />
specialist:</h5></li><br />
</ul><br />
<p>A CISSP certification might help a potential candidate in preparing<br />
for the profession. The role of an intrusion detection specialist is to<br />
find and stop any unwanted communications.</p><br />
<ul><br />
<li><h5 id="incident-manager">Incident manager:</h5></li><br />
</ul><br />
<p>Expected to plan, oversee, manage, and supervise all incident<br />
response team actions. Is in charge of reporting all current events to<br />
senior management and stakeholders, as well as acting as the technical<br />
lead on active incidents for incident responders. Prepares threat and<br />
impact assessments and reports them known to management.</p><br />
<p>https://www.coursera.org/articles/popular-cybersecurity-certifications</p><br />
<br />
==Certificates== <br />
There is a vast number of different certificates and the road map to<br />
being a certified professional could be very different<ref name="Coursera">Coursera, "10 Popular Cybersecurity Certifications [2022 Updated]," [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications. [Accessed 30 Apr 2022].</ref><br />
<ref name="NICCS">NICCS, "Cybersecurity Certifications," [Online]. Available: hhttps://niccs.cisa.gov/about-niccs/cybersecurity-certifications. [Accessed 30 Apr 2022].</ref> . One possible<br />
approach is to start with basic certificates from the different branches<br />
of service and move to more specific and demanding focused<br />
certification. Also, some jobs require certain clearances, either from<br />
industry, or from the government. One small selection of different<br />
possible certificates is brought out in following paragraphs.<br />
<br />
Security+ is a CompTIA certification that is considered a basic cert<br />
among cybersecurity professionals. It covers the topics of risk<br />
management and threat assessment.<br />
Network+ is also offered by CompTIA this certification (like the name<br />
implies) focuses on networking infrastructure and operations. It is<br />
considered a foundational certification.<br />
The Certified Information Systems Security Professional (CISSP) is a<br />
more advanced certification designed for cybersecurity professionals<br />
with at least five years of work experience. The certification covers<br />
topics such as architecture, engineering, and management.</p><br />
The Certified Ethical Hacker (CEH) certification is also considered a<br />
more advanced cert because it generally requires that applicants have<br />
multiple years of work experience. The goal of an ethical hacker<br />
certification is to be able to understand how cyber attacks unfold in<br />
order to improve threat assessment and mitigation skills.<ref name="cyberguide">Cybersecurity Guide, "How to become a cybersecurity specialist", [Online]. Available: https://cybersecurityguide.org/careers/security-specialist/. [Accessed 27 April 2022].</ref><br />
This is definitely not all, when one looks for more information, following link could be searched, to get more in depth knowledge about<br />
different possibilities. Hereby, with the help of this matrix a possible taxonomy of different 436 listed certificates in branches are<br />
presented.<ref name="Pauljeremy">"Cybersecurity Roadmap," [Online]. Available: https://pauljerimy.com/2020/10/12/scr-oct-2020-update/. [Accessed 30 Apr 2022].</ref><br />
<br />
[[File:analystimage5.png|1000px|thumb|Certificate matrix <ref>"Certification roadmap". Available at https://pauljerimy.com/security-certification-roadmap</ref>]]<br />
<br />
=== Communication and Network Security===<br />
Communication and network security covers the ability to secure<br />
communication channels and networks. Topics include secure and converges<br />
protocols, wireless networks, cellular networks, hardware operations<br />
(warranty and redundant power), and third-party connectivity. IP<br />
networking are also included in this domain.<br />
===Identity and Access Management===<br />
The identity and access management domain covers the attacks that<br />
target the human gateway to gain access to data. Other topics include<br />
ways to identify users with rights to access the information and<br />
servers. Identity and access management covers the topics of<br />
applications, Single sign-on authentication, privilege escalation,<br />
Kerberos, rule-based or risk-based access control, proofing and<br />
establishment of identity.<br />
===Security Architecture and Engineering===<br />
The security architecture and engineering domain covers important<br />
topics concerning security engineering plans, designs and principles,<br />
Topics include assessing and mitigating information system<br />
vulnerabilities, fundamental concepts of security models and security<br />
architectures in critical areas like access control. Cloud systems,<br />
cryptography, system infiltrations (ransomware, fault-injection and<br />
more) and virtualized systems are also covered in this domain.<br />
===Asset Security===<br />
The Asset Security domain deals with the issues related to the<br />
collection, storage, maintenance, retention and destruction of data. It<br />
also covers knowledge of different roles regarding data handling (owner,<br />
controller and custodian) as well as data protection methods and data<br />
states. Other topics include resource provision, asset classification<br />
and data lifecycle management.<br />
===Security and Risk Management===<br />
The security and risk management domain covers general on skills<br />
related to the implementation of user awareness programs as well as<br />
security procedures. Emphasis is also placed on risk management<br />
concerning the acquisition of new services, hardware and software<br />
(supply chain). Other skills include social engineering defense<br />
mechanisms.<br />
===Security Assessment and Testing===<br />
The security assessment and testing domain deals with all the<br />
techniques and tools used to find system vulnerabilities, weaknesses and<br />
potential areas of concern not addressed by security procedures and<br />
policies. Attack simulations, vulnerability assessment, compliance<br />
checks, and ethical disclosure also fall under this domain.<br />
===Software Security===<br />
The software development security domain deals with implementing<br />
software-based security protocols within environment for which the IT<br />
professional is responsible. Risk analysis, vulnerability identification<br />
and auditing of source codes are all covered in this subset. Additional<br />
topics include software-designed security, maturity models, development<br />
methodologies, open-source and third-party development security.<br />
===Security operations===<br />
The security operations domain covers topics ranging from<br />
investigations and digital forensic to detection and intrusion<br />
prevention tools, sandboxing and firewalls. Topics include user and<br />
entity behavior analytics, threat intelligence (threat hunting and<br />
threat feeds) log management, artifacts (mobile, computer and network),<br />
machine learning and AI-based tools, penetration testing, and<br />
exploitation development. These for sub-domains are lister here.</p><br />
<li>Forensics</li><br />
<li>Incident Handling</li><br />
<li>Penetration Testing</li><br />
<li>Exploitation</li><br />
<br />
==Education==<br />
<p>The entry level monitoring specialist is hired by Estonian<br />
Information System Authority even if there is no formal IT education,<br />
but readiness to learn and moderate knowledge of different operation<br />
systems is enough to start the career.</p><br />
<p>https://www.cv.ee/en/vacancy/792782/riigi-infosusteemi-amet/seirespetsialist-tule-eesti-kuberruumi-valvuriks</p><br />
<p>Nevertheless, like most other high qualification careers jobs falling<br />
under the cybersecurity specialist category require some form of formal<br />
education. However, since cybersecurity specialist jobs can fall across<br />
a wide spectrum of job descriptions and responsibilities, it is possible<br />
to obtain a specialist job after completing many levels of different<br />
computer related education.</p><br />
<p>If one is looking for a cybersecurity related education, for example<br />
in EU, 137 courses/programs could be found that relate to keyword IT or<br />
cybersecurity.</p><br />
<p>https://www.enisa.europa.eu/topics/cybersecurity-education/education-map/education-courses</p><br />
<p>Also, there is a great amount of discussion, if cuber security<br />
professional should have a degree or would be certification just enough.<br />
One interesting table is produces by Franklin University that compares<br />
benefits and/or drawbacks of each type of credential.</p><br />
<figure><br />
<img src="images/image11.png" alt="Comparison MSc vs certificate" /><br />
<figcaption aria-hidden="true">Comparison MSc vs<br />
certificate</figcaption><br />
</figure><br />
<p>Certifications are generally good for people with little practical<br />
experience because they are known quantities in the industry and can<br />
help you get your foot in the door. They set a minimum knowledge bar.<br />
But some certifications are viewed more favorably than others.<br />
Certifications with renewal requirements are viewed better by hiring<br />
managers, but they also more costly in the long run because of the need<br />
for continuing education. Certifications are also good for showing<br />
in-depth expertise in a specialization within cybersecurity. Depending<br />
on your career goals, it may be advantageous to have a master’s<br />
degree—which shows your breadth of knowledge, critical thinking and<br />
leadership skills—and a certificate—which shows specific skill<br />
competency.</p><br />
<p>https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</p><br />
<p>As IT (Cyber) Security is still a relatively young discipline,<br />
universities and colleges are still figuring out which is the best<br />
approach for their degrees. Study programmes and curricula in Cyber<br />
Security are different. In general, here are the duration of Cyber<br />
Security degrees:</p><br />
<ul><br />
<li><p>Bachelor’s degrees in Cyber Security take 3 or 4 years in most<br />
countries.</p></li><br />
<li><p>Master’s courses in Cyber Security take between 1-2 years to<br />
complete.</p></li><br />
<li><p>PhD programmes in Cyber Security last 3-5 years. Some only take 1<br />
or 2 years, but they are less common.</p><br />
<p>https://www.mastersportal.com/articles/2722/why-you-should-study-a-cyber-security-degree-in-2022.html</p></li><br />
</ul><br />
<p>Generalization could me made that on bachelor level the general<br />
knowledge about the cyber issues are obtained. On master level the<br />
specialization courses are taken and the person can choose more specific<br />
topics to study. It is on master level where strengths of the cyber<br />
specialist can be developed further and up-do date knowledge obtained in<br />
specifics. PhD is serious science and involves teaching, lot of<br />
scientific work and writing for publications.</p><br />
==Salary==<br />
<p>Even if the salary can be very different, compared to the skills and<br />
experience, an generalization can be made. Cyber Security professionals<br />
in CSIRT, and in other entities earn quite well, from the start. First,<br />
some comparison from the United States. The average CSIRT analyst salary<br />
in the USA is $97,500 per year or $50 per hour. Entry level positions<br />
start at $48,875 per year while most experienced workers make up to<br />
$135,373 per year.</p><br />
<p>https://www.talent.com/salary?job=csirt+analyst</p><br />
<p>There are multiple positions you can occupy in this field. They have<br />
in common great salaries and high demand for technical skills, attention<br />
to details, problem-solving mentality, and the ability to analyze risks.<br />
Here are the average annual salaries in the United States, according to<br />
Payscale:</p><br />
<p>https://www.payscale.com/</p><br />
<ul><br />
<li><p>Cryptographer – 100,000 USD</p></li><br />
<li><p>Information Security Officer – 91,000 USD</p></li><br />
<li><p>Security Assessor – 90,000 USD</p></li><br />
<li><p>Security Engineer – 88,000 USD</p></li><br />
<li><p>Penetration Tester – 81,000 USD</p></li><br />
<li><p>Forensics Expert – 71,000 USD</p></li><br />
<li><p>Security Administrator – 65,000 USD</p><br />
<p>https://www.mastersportal.com/articles/2722/why-you-should-study-a-cyber-security-degree-in-2022.html</p><br />
<p>When looking into salaries in Estonia, one can find that there is a<br />
discussion that private sector is taking a toll from the public sector,<br />
and that the salaries in important agencies, as Information System<br />
Authority loose their employees to the better paid positions in private<br />
sector.</p><br />
<p>https://digi.geenius.ee/rubriik/uudis/kui-palju-riigi-jaoks-olulised-it-tootajad-tegelikult-palka-saavad/<br />
https://tehnika.postimees.ee/6887428/riigi-it-tootajate-palgamaarad-kasvasid</p><br />
<p>But there is also a different view that average private sector worker<br />
could be hired as a top specialist in public sector and then the payment<br />
is higher. Nevertheless, it seems that the average payment in cyber<br />
security sector is any way higher that in other parts of the<br />
e-services.</p><br />
<p>https://digi.geenius.ee/rubriik/uudis/5000-eurostest-palkadest-it-tootajad-saavadki-palju-palka/</p></li><br />
</ul><br />
==SOC==<br />
<p>A SOC is a facility where an organization’s network, applications,<br />
and endpoints are monitored and defended. The term was adapted from<br />
network operations centers (NOCs), where large telecommunication or<br />
corporate networks are monitored. When network security became more of a<br />
concern, security teams were formed within the NOCs, and eventually spun<br />
off into larger organizations of their own as the responsibilities of<br />
security teams grew increasingly complex and specialized. The security<br />
staff working in a security operations center are often called the SOC<br />
team.</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<p>Functions of the SOC team include, but are not limited to:</p><br />
<ol type="1"><br />
<li>Taking inventory of resources, to get a better understanding of the<br />
structure they are protecting.</li><br />
<li>Maintanence of the system, by constantly making updates and adding<br />
safeguards.</li><br />
<li>Monitoring the network for abnormalities with special tools.</li><br />
<li>Threat analysis of new attacks and vulnerabilities.</li><br />
<li>Responding to attacks, by acting as “first responders”. The SOC team<br />
will shut down and/or isolate endpoints, deleting files and lowering the<br />
impact as fast as possible.</li><br />
<li>Recovery of system stability and lost data. This may be done using<br />
backups, restarting endpoints or reconfiguring systems.</li><br />
<li>Logging all actions on the system, to be later used for analysis or<br />
forensics after an attack.</li><br />
<li>Investigating the root cause of an attack.</li><br />
<li>Auditing their own actions, to be in line with regulations of the<br />
organization, industry or governing body.</li><br />
</ol><br />
<p>https://www.trellix.com/en-us/security-awareness/operations/what-is-soc.html</p><br />
==CSIRT==<br />
<p>A CSIRT is a group that responds to security incidents when they<br />
occur. Key responsibilities of a CSIRT include: <br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<ul><br />
===Creating and maintaining an incident response plan (IRP)===<br />
An incident response plan (IRP) is a set of written instructions for<br />
detecting, responding to and limiting the effects of an information<br />
security event. Incident response plans provide instructions for<br />
responding to many potential scenarios, including data breaches, denial<br />
of service/distributed denial of service attacks, firewall breaches,<br />
virus or malware outbreaks or insider threats. Without an incident<br />
response plan in place, organizations may either not detect the attack<br />
in the first place, or not follow proper protocol to contain the threat<br />
and recover from it when a breach is detected.<br />
<p>https://www.stratacore.com/incidentresponseplan</p></li><br />
===Investigating and analyzing incidents===<br />
CSIRTs are also involved in improvement activities. After major<br />
computer security incidents occur, or when incidents are not handled in<br />
a timely or effective manner, a CSIRT will generally perform a<br />
postmortem of the incident and its response. This postmortem will<br />
identify the strengths and weakness of the response effort. Such reviews<br />
can identify weaknesses and holes in systems, infrastructure defenses,<br />
or policies that allowed the incident to take place. It can also<br />
identify problems with communication channels, interfaces, and<br />
procedures that inhibited the efficient resolution of the reported<br />
problem.<br />
<p>https://www.cisa.gov/uscert/bsi/articles/best-practices/incident-management/defining-computer-security-incident-response-teams</p><br />
<br />
===Managing internal communications and updates during or immediately after incidents occur===<br />
===Communicating with employees, shareholders, customers, and the press about incidents as needed===<br />
<p>There are various services within the CSIRT Services Framework that<br />
address communications, as they relate to security operations and<br />
incident response services. Some of these include Information Security<br />
Incident Coordination, Crisis Management Support, Vulnerability<br />
Disclosure, Situational Awareness Communication, and Awareness Building,<br />
to name a few. Sharing information and communicating with the general<br />
public and/or your constituency is appropriate in many different<br />
scenarios. These can range from proactive communications to reactive<br />
communications. Each scenario may be unique, and careful consideration<br />
should be given to when to release information to the public and what<br />
information should be released.</p><br />
<br />
<p>https://resources.sei.cmu.edu/asset_files/Handbook/2021_002_001_651819.pdf</p><br />
<br />
===Remediating incidents===<br />
Threat remediation is a strong and capable tool for fighting the<br />
cyber security compromises. As the word ‘remedy’ suggests, remediation<br />
process involves the treatment of a security breach. With the<br />
remediation practices, your cyber security team is able to eliminate<br />
suspicious activities and malicious attacks in the form of malware,<br />
ransomware, phishing and such. Even if you ‘kill’ the suspicious<br />
activity, the attackers can remain in your systems. If you want to<br />
contaminate and end the problem for good, your remediation processes<br />
must involve the detection of the cause. <ref name="logsign">Logsign, "What-is-remediation-in-cyber-security". Available: https://www.logsign.com/blog/what-is-remediation-in-cyber-security/. [Accessed 28 Apr 2022].</ref><br />
<br />
===Recommending technology, policy, governance, and training changes after security incidents===<br />
After all these actions, the SCIRT must contribute to the development<br />
of better policies, practices and has to recommend improvements. They<br />
are not working in the vacuum and their work has to create new and<br />
better standards for cyber security. <ref name="exabeam">Exabeam, "CSIRT". Available: https://www.exabeam.com/incident-response/csirt/ [Accessed 28 APr 2022].</ref><br />
<br />
==CERT==<br />
<p>The term “computer emergency response team” was coined in 1988. In<br />
response to the Morris worm attack that impacted thousands of servers on<br />
the Internet, DARPA funded the formation of the Computer Emergency<br />
Response Team Coordination Center (CERT-CC) at Carnegie Mellon<br />
University. The goal of CERT-CC was to help protect the internet by<br />
collecting and disseminating information on critical security<br />
vulnerabilities. Several other countries formed similar centers using<br />
the same acronym (despite threats of legal action by Carnegie Mellon for<br />
trademark infringement). Now the term CERT refers to any emergency<br />
response team that deals with cyber threats. Many people use CERT-CC<br />
interchangeably with CSIRT, though the charter of a CERT is information<br />
sharing in order to help other response teams respond to threats against<br />
their own infrastructure.</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<p>In general, the designation of CERT is helpful in applying real-world<br />
solutions to various cybersecurity problems. They may be government<br />
contractors or employees of a major corporation. For example, the U.S.<br />
Computer Emergency Readiness Team (US-CERT) operates under the U.S.<br />
Department of Homeland Security.</p><br />
<p>https://www.techopedia.com/definition/31003/computer-emergency-response-team-cert</p><br />
<p>In Estonia CERT is designated as CERT-EE. It was established in 2006,<br />
as an organization responsible for the management of security incidents<br />
in .ee computer networks. It is also a national contact point for<br />
international co-operation in the field of IT security.</p><br />
<p>https://www.ria.ee/en/cyber-security/cert-ee.html</p><br />
===Difference between SOC/CSIRT/CERT===<br />
<p>How CSIRTs differ from CERTs and SOCs There are overlapping<br />
responsibilities between a community emergency response team (CERT),<br />
computer security incident response team (CSIRT), and security<br />
operations center (SOC). To add to this confusion, frequently, the terms<br />
CERT and CSIRT are used interchangeably, despite the important<br />
differences.</p><br />
<figure><br />
<img src="images/image3.png" alt="Overlapping in images/image3.png" /><br />
<figcaption aria-hidden="true">Overlapping in<br />
images/image3.png</figcaption><br />
</figure><br />
==Understand the primary roles and characteristics of a CERT, CSIRT, and SOC.==<br />
<p>So, using strict definitions, a CERT collects and disseminates<br />
security information, typically for the benefit of a country or an<br />
industry. A CSIRT is a cross-functional team that responds to incidents<br />
on behalf of a country or an organization. A SOC is where a country or<br />
organization monitors and defends its network, servers, applications,<br />
and endpoints.</p><br />
<figure><br />
<img src="images/image4.png" alt="table of explanation images/image4" /><br />
<figcaption aria-hidden="true">table of explanation<br />
images/image4</figcaption><br />
</figure><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
==Future==<br />
<p>And the Cyber security problem is only getting bigger. According to a<br />
report published by Accenture, the number of cyber security breaches<br />
increased by 11 percent from 2017 to 2018. The cost of such breaches is<br />
astronomical–about $600 billion worldwide, according to the Economic<br />
Impact of Cybercrime report.</p><br />
<p>https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me</p><br />
<p>Job projections for cybersecurity are staggering. The Bureau of Labor<br />
Statistics in US predicts that careers in the cybersecurity field will<br />
grow by 32% by 2028. That makes cybersecurity one of the top 10<br />
fastest-growing jobs in the country. In the United States alone, jobs<br />
for Information Security Analysts are expected to grow by 15% by<br />
2024.</p><br />
<p>https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</p><br />
<p>Most likely this trend is also similar in other countries.</p><br />
<p>When checking Estonian job portals, there is a constant need for<br />
people for cyber security related positions. Also, linkedin search gives<br />
approximately 30 vacancies immediately. There are banks, logistics<br />
companies, e-shops, and software producers.</p><br />
<p>https://ee.linkedin.com/jobs/cyber-security-jobs?countryRedirected=1&amp;position=1&amp;pageNum=0</p><br />
<p>Trends that affect companies create need for constant cyber security<br />
services. Increasing number of home/remote offices require secure<br />
corporate networks and security of remote devices. One example is from<br />
this year, when sloppy remote desktop set-up paralyzed systems of 17<br />
companies.</p><br />
<p>https://www.aripaev.ee/uudised/2022/04/20/ria-lohakas-kaugtoolaua-seadistus-halvas-martsis-vahemalt-17-juhul-ettevotete-it-susteemid</p><br />
<p>Also, no service can exists without robust infrastructure - servers,<br />
databases, applications. As all previously mentioned devices and<br />
services are at constant scanning and surveillance. So, the breach<br />
detection and immediate action demands 24/7 services. Even if lot of<br />
things could be automated, there is a need for human specialists (at<br />
least, at the moment). Third growing field is also a forensic<br />
investigation, as every attack must be investigated in order to be ready<br />
to repel next attacks. So data recovery and evidence collection is<br />
another important field of work that need skilled and professional<br />
workers.</p><br />
<p>Even, if the specifics of the entity, be it CSIRT, CERT or SOC, are<br />
different, the fundamentals of the work are the same. Professional<br />
knowledge of the networks, operational systems, hardware, scripting, and<br />
several other wider IT related knowledge is needed. As there is no<br />
single way to reach to it, every single person can find one’s strongest<br />
sides and develop them with knowledge of weaker side, in order to know,<br />
when to as for help.</p><br />
<br />
</body><br />
</html></div>Mavaldhttps://wiki.itcollege.ee/index.php?title=Hiring_a_Cyber_Security_Incident_Analyst&diff=142192Hiring a Cyber Security Incident Analyst2022-05-01T15:06:36Z<p>Mavald: /* Entry-Level Incident Response Positions */</p>
<hr />
<div>==A Cyber Security Incident Analyst==<br />
<br />
[[File:image1.png|600px|thumb|Job advertisement <ref>"Job Advertisement". Available at https://www.projectpeople.com/jobs/</ref>]]<br />
===Cyber security incident analyst in SOC/CSIRT/CERT===<br />
This article delves into the job title of Cyber Security Incident<br />
Analyst and provides an overview of the acronyms SOC/CSIRT/CERT. A brief<br />
history of the job is discussed here, as well as a possible career path,<br />
education, experience, and other characteristics required for work in<br />
computer security-related organizations. The article also provides a<br />
brief history of SOC/CSIRT/CERT, as well as a comparison of their<br />
differences and similarities.<br />
===Cyber Security Incident Analyst Skill Set===<br />
What skill set is expected from the Cyber Security Incident Analyst? Below written lines are taken from the same job advertisement depicted<br />
on the left side of this article:<br />
As a Security Incident Analyst your responsibilities will include:<br />
<ul><br />
<li>Continuous monitoring of security tooling</li><br />
<li>Performing regular and ad-hoc vulnerability assessments</li><br />
<li>Carrying out ‘spot checks’</li><br />
<li>Reporting vulnerabilities to the PVG via the alerts system</li><br />
<li>Maintaining and documenting logging systems</li><br />
<li>Developing centralized logging, reporting and intelligence<br />
platforms</li><br />
<li>‘Light touch’ penetration testing with open source tooling<br />
(Metasploit)</li><br />
</ul><br />
Knowledge &amp; Experience required:<br />
<ul><br />
<li>SOC, CSIRT or CERT operational environment experience</li><br />
<li>Windows / Linux experience</li><br />
<li>TCP /IP networking protocol knowledge</li><br />
<li>Experience reviewing and analyzing Security Events from various<br />
monitoring and logging sources</li><br />
<li>Experience in website and web application security assessment or<br />
penetration testing</li><br />
<li>Experience of using Metasploit</li><br />
<li>Scripting knowledge using BASH, Python, Perl, Ruby</li><br />
<li>Skills in Host and Network Forensics</li><br />
</ul><br />
As one can see the description of the duties is wide and also the<br />
knowledge and experience that is required is noteworthy. So, where to<br />
start to find out the way to get this kind of knowledge and<br />
expertize.<br />
===Possible career path===<br />
Next part of the paper is aiming to depict a possible ways, how to<br />
develop oneself, and move along the career pathway in cybersecurity<br />
field. Topics of development, education, experience and certification<br />
are covered.<br />
[[File:analystimage2.png|1000px|thumb|Career path <ref>"Possible Career Path". Available at https://www.cyberseek.org/pathway.html</ref>]]<br />
<br />
===Junior/Senior===<br />
Start with an entry-level job in IT. Hands-on experience is often the<br />
most effective way to prepare for certification exams. Start<br />
accumulating work experience with an entry-level role as a cybersecurity<br />
analyst. Many cybersecurity professionals start off in more general IT<br />
roles. The skills, practices, and technologies you’ll use as a<br />
cybersecurity professional will continue to evolve along with computer<br />
and network technology. The desire to learn, ability to problem solve,<br />
and attention to detail will serve you well in this field. Other, more<br />
technical skills and technologies to learn include:<ref name="certification">Popular Cyber Security Certificates [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications [Accessed 25 April 2022].</ref><br />
<br />
====SIEM tools (security information and event management)====<br />
Security Information and Event Management (SIEM) is a set of tools<br />
and services offering a holistic view of an organization’s information<br />
security. SIEM works by combining two technologies:<br />
<li>Security information management (SIM), which collects data from log<br />
files for analysis and reports on security threats and events, and</li><br />
<li>security event management (SEM), which conducts real-time system<br />
monitoring, notifies network admins about important issues and<br />
establishes correlations between security events. There are a number of<br />
security information and event management solutions on the market.<br />
ArcSight ESM, IBM QRadar and Splunk are among the most popular. <ref name="SIEM">Application security, SIEM [Online]. Available: https://www.imperva.com/learn/application-security/siem/. [Accessed 27 4 2022].</ref></li><br />
<br />
====Firewalls, Intrusion Detection Systems (IDS), and Intrusion Prevention Systems(IPS)====<br />
Firewalls can be two types, hardware and software firewalls. Software<br />
firewall is a firewall that is installed on a computer or server, and<br />
tasked with network security. It works with a wide variety of other<br />
technology security solutions to provide more robust and cohesive<br />
security for enterprises of all sizes. When a software firewall is<br />
installed on a server, it opens up like an umbrella of protection over<br />
all other computers connected to the network. It is able to monitor both<br />
incoming and outgoing traffic for potential risk or suspicious user<br />
behavior, and also makes setting security policies much easier, faster<br />
and more flexible. Hardware firewall is positioned between the network<br />
and devices, allowing traffic to funnel through the firewall for a close<br />
inspection and analysis. A hardware firewall, a term often<br />
interchangeable with network or next-generation firewall, protects the<br />
network gateways for an enterprise. Hardware firewall is physical<br />
hardware, installed between network elements and connected devices, and<br />
is tasked with filtering traffic for cyber threat to the network or<br />
devices. Filtering out unauthorized or suspicious users based on traffic<br />
analysis is one of the biggest benefits of hardware firewall. <ref name="sangfor">Sangfor, "What is Software Firewall? Difference between Hardware Firewall and Software Firewall, [Online]. Available: https://www.sangfor.com/blog/cybersecurity/what-is-software-firewall-difference-between-hardware-firewall-and-software-firewall [Accessed 26 4 2022].</ref><br />
<br />
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems<br />
(IPS) are both parts of the network infrastructure. IDS/IPS compare<br />
network packets to a cyberthreat database containing known signatures of<br />
cyberattacks — and flag any matching packets. IDS doesn’t alter the<br />
network packets in any way, whereas IPS prevents the packet from<br />
delivery based on the contents of the packet, much like how a firewall<br />
prevents traffic by IP address. <ref name="Varonis">Varonis, "What is Software Firewall? IDS vs. IPS: What is the Difference?, [Online]. Available: https://www.varonis.com/blog/ids-vs-ips [Accessed 26 4 2022].</ref><br />
<br />
====Digital forensics====<br />
Digital forensics is a branch of forensic science that focuses on<br />
identifying, acquiring, processing, analyzing, and reporting on data<br />
stored electronically. Electronic evidence is a component of almost all<br />
criminal activities and digital forensics support is crucial for law<br />
enforcement investigations. Electronic evidence can be collected from a<br />
wide array of sources, such as computers, smartphones, remote storage,<br />
unmanned aerial systems, shipborne equipment, and more.<ref name="interpol">Interpol, "Digital forensics". Available: https://www.interpol.int/How-we-work/Innovation/Digital-forensics. [Accessed 28 4 2022].</ref> <br />
Investigative process of digital forensics can be divided into several stages. There are four major stages: preservation, collection,<br />
examination, and analysis. All these four stages need a deep understanding of computers, technology across a broad spectrum, and cybersecurity principles and<br />
practices, a working knowledge of computers, networks, and coding, in-depth investigative abilities, critical-thinking skills and analytical talent the ability to effectively communicate and work with a<br />
wide range of people. <ref name="ecpi">"Digital forensics". Available: https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me. [Accessed 26 4 2022].</ref><br />
<br />
====Mobile device management====<br />
Mobile device management (MDM) is software that allows IT<br />
administrators to control, secure and enforce policies on smartphones,<br />
tablets and other endpoints. Mobile device management software emerged<br />
in the early 2000s as a way to control and secure the personal digital<br />
assistants and smartphones that business workers began to use. The<br />
consumer smartphone boom that started with the launch of the Apple<br />
iPhone in 2007 led to the bring your own device (BYOD) trend, which<br />
fueled further interest in MDM.<ref name="techtarget">Techtarget, "Mobile Device Management". Available: https://www.techtarget.com/searchmobilecomputing/definition/mobile-device-management [Accessed 27 4 2022].</ref><br />
<br />
====Data management====<br />
Sometimes the data management is neglected, but this part has a<br />
crucial role when learning for good cyber security practices. Majority<br />
of cyber security programs include a special courses on data management.<br />
Data management is a method of organizing and maintaining data processes<br />
that are required in almost every business operations. The benefits of<br />
data management can be found accounting, statistics, logistics planning<br />
and other disciplines including corporate computing.<ref name="GlobalUni">Global Universities, "MSc Data Management and Cyber Security". Available: https://globaluniversities.in/msc-data-management-cyber-security. [Accessed 26 Apr 2022].</ref><br />
Data governance (and management) play a fundamental role in<br />
protecting an organization’s data. Ensuring that the right people have<br />
the right access and that appropriate security controls are in place to<br />
protect each system or service, based on the criticality or sensitivity<br />
of the data sets these contain. <ref name="CyberMagazine">Cyber Security Magazine, "The Role of Data Governance in Cybersecurity". Available: https://cybersecurity-magazine.com/the-role-of-data-governance-in-cybersecurity/?utm_source=rss&amp;utm_medium=rss&amp;utm_campaign=the-role-of-data-governance-in-cybersecurity. [Accessed 26 Apr 2022].</ref><br />
<br />
====Application security development====<br />
Application security describes security measures at the application<br />
level that aim to prevent data or code within the app from being stolen<br />
or hijacked. It encompasses the security considerations that happen<br />
during application development and design, but it also involves systems<br />
and approaches to protect apps after they get deployed. Application<br />
security may include hardware, software, and procedures that identify or<br />
minimize security vulnerabilities.<ref name="vmware">VmWare, "What is application security?". Available: https://www.vmware.com/topics/glossary/content/application-security.html [Accessed 28 April 2022].</ref><br />
Application security development is important to ensure that your<br />
application is free from coding errors and bugs. And controls the risk<br />
and helps safeguard against security vulnerabilities. Application<br />
security development is the process of making applications more secure<br />
by finding and fixing security vulnerabilities. This is often done by<br />
enforcing software security best practices and using application<br />
security testing tools. <br />
<ref name="perforce">Perforce, "Application Security Development Best Practices". Available: https://www.perforce.com/blog/kw/application-security-development-best-practices. [Accessed 28 April 2022].</ref><br />
<br />
====Audit and compliance knowledge====<br />
A cyber security audit is designed to be a comprehensive review and<br />
analysis of your business’s IT infrastructure. It identifies threats and<br />
vulnerabilities, exposing weaknesses and high-risk practices.<br />
Regulations such as the EU GDPR (General Data Protection Regulation) can<br />
impose hefty penalties in the event of a breach that results in<br />
exploited data. A cyber security audit will help mitigate the<br />
consequences of a breach and demonstrate that your organization has<br />
taken the necessary steps to protect client and company data. <ref name="cyforsecure">Cyfor Secure, "What is a Cyber Security Audit and how can it help your organisation?". Available: https://cyforsecure.co.uk/services/cyber-assessment/cyber-security-audit/. [Accessed 28 April 2022].</ref><br />
<br />
Cybersecurity compliance is the organizational risk management method<br />
aligned with pre-defined security measures &amp; controls on how data<br />
confidentiality is ensured by its administrative procedures.<ref name="nordlayer">NordLayer, "Cybersecurity compliance: Everything you need to know". Available: https://nordlayer.com/blog/cybersecurity-compliance-everything-you-need-to-know/. [Accessed 28 April 2022].</ref><br />
All needed skills are developed through courses and certification.<br />
<br />
===Entry-Level Incident Response Positions===<br />
It is not always possible to advance to the position of incident<br />
responder in a straight line. Many professionals advance from entry- to<br />
mid-level positions before becoming a real incident responder or a<br />
member of a computer emergency response team (CERT).<br /><br />
These are some examples:</p><br />
<ul><br />
<li><h5 id="network-administrator">Network administrator</h5><br />
<p>This position’s experience will help potential incident responders<br />
develop networking skills. Attention to detail, as well as the ability<br />
to sift through system configurations, site layouts, and general network<br />
and communication setups, are essential in this field.</p></li><br />
<li><h5 id="system-administrator">System administrator</h5><br />
<p>Another crucial beginning point for an incident responder is to learn<br />
how to manage resources inside your organization as well as user<br />
behavior. Understanding the potential damage that users, inadequate<br />
security setups, and ineffective IT policies and procedures can cause on<br />
your network can provide prospective candidates with insight into the<br />
human component of an incident.</p></li><br />
<li><h5 id="security-administrator">Security administrator</h5><br />
<p>In such a position, basic hacking skills, penetration testing, and<br />
intrusion detection are all learned, which are crucial incident<br />
responder skills when trying to replicate a breach or attack.<br />
Understanding the paths a cybercriminal will take when attempting to<br />
damage or obtain access to a system can greatly simplify the work of<br />
reverse engineering the incident.</p></li><br />
</ul><br />
<p>https://resources.infosecinstitute.com/topic/incident-responder-career-roadmap-entry-level-executive/</p><br />
<h3 id="mid-level-incident-response-positions">Mid-Level Incident<br />
Response Positions</h3><br />
<ul><br />
<li><h5<br />
id="computer-security-incident-response-team-csirt-engineer">Computer<br />
security incident response team (CSIRT) engineer</h5></li><br />
<li><h5 id="cyber-incident-responder">Cyber incident responder</h5></li><br />
<li><h5 id="incident-response-engineer">Incident response<br />
engineer</h5></li><br />
</ul><br />
<p>While each of these positions is different, they generally require<br />
very similar skills and characteristics in a candidate. At this level,<br />
personal characteristics such as problem solving, time management, and<br />
even presentation skills become more crucial as one’s career evolves<br />
into a management-facing role.</p><br />
<p>Technical skills include the ability to identify and minimize threats<br />
while maintaining communication with management and the rest of your<br />
team. Data analysis and evidence gathering become increasingly crucial,<br />
and the circumstances in which your services are deployed get more<br />
serious.</p><br />
Problem-solving skills are crucial at this level of incident<br />
response, and as the stakes rise, so does the pressure in each<br />
situation. At this level, programming abilities are essential since<br />
incident responders may be needed to reverse engineer malicious code or<br />
even create patches for vulnerable network applications or services. <ref name="corsera">Perforce, "10 Popular Cybersecurity Certifications [2022 Updated]". Available: https://www.coursera.org/articles/popular-cybersecurity-certifications [Accessed 28 April 2022].</ref><br />
<h3 id="senior-level-incident-response-positions">Senior-Level Incident<br />
Response Positions</h3><br />
<ul><br />
<li><h5 id="intrusion-detection-specialist">Intrusion detection<br />
specialist:</h5></li><br />
</ul><br />
<p>A CISSP certification might help a potential candidate in preparing<br />
for the profession. The role of an intrusion detection specialist is to<br />
find and stop any unwanted communications.</p><br />
<ul><br />
<li><h5 id="incident-manager">Incident manager:</h5></li><br />
</ul><br />
<p>Expected to plan, oversee, manage, and supervise all incident<br />
response team actions. Is in charge of reporting all current events to<br />
senior management and stakeholders, as well as acting as the technical<br />
lead on active incidents for incident responders. Prepares threat and<br />
impact assessments and reports them known to management.</p><br />
<p>https://www.coursera.org/articles/popular-cybersecurity-certifications</p><br />
<br />
==Certificates== <br />
There is a vast number of different certificates and the road map to<br />
being a certified professional could be very different<ref name="Coursera">Coursera, "10 Popular Cybersecurity Certifications [2022 Updated]," [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications. [Accessed 30 Apr 2022].</ref><br />
<ref name="NICCS">NICCS, "Cybersecurity Certifications," [Online]. Available: hhttps://niccs.cisa.gov/about-niccs/cybersecurity-certifications. [Accessed 30 Apr 2022].</ref> . One possible<br />
approach is to start with basic certificates from the different branches<br />
of service and move to more specific and demanding focused<br />
certification. Also, some jobs require certain clearances, either from<br />
industry, or from the government. One small selection of different<br />
possible certificates is brought out in following paragraphs.<br />
<br />
Security+ is a CompTIA certification that is considered a basic cert<br />
among cybersecurity professionals. It covers the topics of risk<br />
management and threat assessment.<br />
Network+ is also offered by CompTIA this certification (like the name<br />
implies) focuses on networking infrastructure and operations. It is<br />
considered a foundational certification.<br />
The Certified Information Systems Security Professional (CISSP) is a<br />
more advanced certification designed for cybersecurity professionals<br />
with at least five years of work experience. The certification covers<br />
topics such as architecture, engineering, and management.</p><br />
The Certified Ethical Hacker (CEH) certification is also considered a<br />
more advanced cert because it generally requires that applicants have<br />
multiple years of work experience. The goal of an ethical hacker<br />
certification is to be able to understand how cyber attacks unfold in<br />
order to improve threat assessment and mitigation skills.<ref name="cyberguide">Cybersecurity Guide, "How to become a cybersecurity specialist", [Online]. Available: https://cybersecurityguide.org/careers/security-specialist/. [Accessed 27 April 2022].</ref><br />
This is definitely not all, when one looks for more information, following link could be searched, to get more in depth knowledge about<br />
different possibilities. Hereby, with the help of this matrix a possible taxonomy of different 436 listed certificates in branches are<br />
presented.<ref name="Pauljeremy">"Cybersecurity Roadmap," [Online]. Available: https://pauljerimy.com/2020/10/12/scr-oct-2020-update/. [Accessed 30 Apr 2022].</ref><br />
<br />
[[File:analystimage5.png|1000px|thumb|Certificate matrix <ref>"Certification roadmap". Available at https://pauljerimy.com/security-certification-roadmap</ref>]]<br />
<br />
=== Communication and Network Security===<br />
Communication and network security covers the ability to secure<br />
communication channels and networks. Topics include secure and converges<br />
protocols, wireless networks, cellular networks, hardware operations<br />
(warranty and redundant power), and third-party connectivity. IP<br />
networking are also included in this domain.<br />
===Identity and Access Management===<br />
The identity and access management domain covers the attacks that<br />
target the human gateway to gain access to data. Other topics include<br />
ways to identify users with rights to access the information and<br />
servers. Identity and access management covers the topics of<br />
applications, Single sign-on authentication, privilege escalation,<br />
Kerberos, rule-based or risk-based access control, proofing and<br />
establishment of identity.<br />
===Security Architecture and Engineering===<br />
The security architecture and engineering domain covers important<br />
topics concerning security engineering plans, designs and principles,<br />
Topics include assessing and mitigating information system<br />
vulnerabilities, fundamental concepts of security models and security<br />
architectures in critical areas like access control. Cloud systems,<br />
cryptography, system infiltrations (ransomware, fault-injection and<br />
more) and virtualized systems are also covered in this domain.<br />
===Asset Security===<br />
The Asset Security domain deals with the issues related to the<br />
collection, storage, maintenance, retention and destruction of data. It<br />
also covers knowledge of different roles regarding data handling (owner,<br />
controller and custodian) as well as data protection methods and data<br />
states. Other topics include resource provision, asset classification<br />
and data lifecycle management.<br />
===Security and Risk Management===<br />
The security and risk management domain covers general on skills<br />
related to the implementation of user awareness programs as well as<br />
security procedures. Emphasis is also placed on risk management<br />
concerning the acquisition of new services, hardware and software<br />
(supply chain). Other skills include social engineering defense<br />
mechanisms.<br />
===Security Assessment and Testing===<br />
The security assessment and testing domain deals with all the<br />
techniques and tools used to find system vulnerabilities, weaknesses and<br />
potential areas of concern not addressed by security procedures and<br />
policies. Attack simulations, vulnerability assessment, compliance<br />
checks, and ethical disclosure also fall under this domain.<br />
===Software Security===<br />
The software development security domain deals with implementing<br />
software-based security protocols within environment for which the IT<br />
professional is responsible. Risk analysis, vulnerability identification<br />
and auditing of source codes are all covered in this subset. Additional<br />
topics include software-designed security, maturity models, development<br />
methodologies, open-source and third-party development security.<br />
===Security operations===<br />
The security operations domain covers topics ranging from<br />
investigations and digital forensic to detection and intrusion<br />
prevention tools, sandboxing and firewalls. Topics include user and<br />
entity behavior analytics, threat intelligence (threat hunting and<br />
threat feeds) log management, artifacts (mobile, computer and network),<br />
machine learning and AI-based tools, penetration testing, and<br />
exploitation development. These for sub-domains are lister here.</p><br />
<li>Forensics</li><br />
<li>Incident Handling</li><br />
<li>Penetration Testing</li><br />
<li>Exploitation</li><br />
<br />
==Education==<br />
<p>The entry level monitoring specialist is hired by Estonian<br />
Information System Authority even if there is no formal IT education,<br />
but readiness to learn and moderate knowledge of different operation<br />
systems is enough to start the career.</p><br />
<p>https://www.cv.ee/en/vacancy/792782/riigi-infosusteemi-amet/seirespetsialist-tule-eesti-kuberruumi-valvuriks</p><br />
<p>Nevertheless, like most other high qualification careers jobs falling<br />
under the cybersecurity specialist category require some form of formal<br />
education. However, since cybersecurity specialist jobs can fall across<br />
a wide spectrum of job descriptions and responsibilities, it is possible<br />
to obtain a specialist job after completing many levels of different<br />
computer related education.</p><br />
<p>If one is looking for a cybersecurity related education, for example<br />
in EU, 137 courses/programs could be found that relate to keyword IT or<br />
cybersecurity.</p><br />
<p>https://www.enisa.europa.eu/topics/cybersecurity-education/education-map/education-courses</p><br />
<p>Also, there is a great amount of discussion, if cuber security<br />
professional should have a degree or would be certification just enough.<br />
One interesting table is produces by Franklin University that compares<br />
benefits and/or drawbacks of each type of credential.</p><br />
<figure><br />
<img src="images/image11.png" alt="Comparison MSc vs certificate" /><br />
<figcaption aria-hidden="true">Comparison MSc vs<br />
certificate</figcaption><br />
</figure><br />
<p>Certifications are generally good for people with little practical<br />
experience because they are known quantities in the industry and can<br />
help you get your foot in the door. They set a minimum knowledge bar.<br />
But some certifications are viewed more favorably than others.<br />
Certifications with renewal requirements are viewed better by hiring<br />
managers, but they also more costly in the long run because of the need<br />
for continuing education. Certifications are also good for showing<br />
in-depth expertise in a specialization within cybersecurity. Depending<br />
on your career goals, it may be advantageous to have a master’s<br />
degree—which shows your breadth of knowledge, critical thinking and<br />
leadership skills—and a certificate—which shows specific skill<br />
competency.</p><br />
<p>https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</p><br />
<p>As IT (Cyber) Security is still a relatively young discipline,<br />
universities and colleges are still figuring out which is the best<br />
approach for their degrees. Study programmes and curricula in Cyber<br />
Security are different. In general, here are the duration of Cyber<br />
Security degrees:</p><br />
<ul><br />
<li><p>Bachelor’s degrees in Cyber Security take 3 or 4 years in most<br />
countries.</p></li><br />
<li><p>Master’s courses in Cyber Security take between 1-2 years to<br />
complete.</p></li><br />
<li><p>PhD programmes in Cyber Security last 3-5 years. Some only take 1<br />
or 2 years, but they are less common.</p><br />
<p>https://www.mastersportal.com/articles/2722/why-you-should-study-a-cyber-security-degree-in-2022.html</p></li><br />
</ul><br />
<p>Generalization could me made that on bachelor level the general<br />
knowledge about the cyber issues are obtained. On master level the<br />
specialization courses are taken and the person can choose more specific<br />
topics to study. It is on master level where strengths of the cyber<br />
specialist can be developed further and up-do date knowledge obtained in<br />
specifics. PhD is serious science and involves teaching, lot of<br />
scientific work and writing for publications.</p><br />
==Salary==<br />
<p>Even if the salary can be very different, compared to the skills and<br />
experience, an generalization can be made. Cyber Security professionals<br />
in CSIRT, and in other entities earn quite well, from the start. First,<br />
some comparison from the United States. The average CSIRT analyst salary<br />
in the USA is $97,500 per year or $50 per hour. Entry level positions<br />
start at $48,875 per year while most experienced workers make up to<br />
$135,373 per year.</p><br />
<p>https://www.talent.com/salary?job=csirt+analyst</p><br />
<p>There are multiple positions you can occupy in this field. They have<br />
in common great salaries and high demand for technical skills, attention<br />
to details, problem-solving mentality, and the ability to analyze risks.<br />
Here are the average annual salaries in the United States, according to<br />
Payscale:</p><br />
<p>https://www.payscale.com/</p><br />
<ul><br />
<li><p>Cryptographer – 100,000 USD</p></li><br />
<li><p>Information Security Officer – 91,000 USD</p></li><br />
<li><p>Security Assessor – 90,000 USD</p></li><br />
<li><p>Security Engineer – 88,000 USD</p></li><br />
<li><p>Penetration Tester – 81,000 USD</p></li><br />
<li><p>Forensics Expert – 71,000 USD</p></li><br />
<li><p>Security Administrator – 65,000 USD</p><br />
<p>https://www.mastersportal.com/articles/2722/why-you-should-study-a-cyber-security-degree-in-2022.html</p><br />
<p>When looking into salaries in Estonia, one can find that there is a<br />
discussion that private sector is taking a toll from the public sector,<br />
and that the salaries in important agencies, as Information System<br />
Authority loose their employees to the better paid positions in private<br />
sector.</p><br />
<p>https://digi.geenius.ee/rubriik/uudis/kui-palju-riigi-jaoks-olulised-it-tootajad-tegelikult-palka-saavad/<br />
https://tehnika.postimees.ee/6887428/riigi-it-tootajate-palgamaarad-kasvasid</p><br />
<p>But there is also a different view that average private sector worker<br />
could be hired as a top specialist in public sector and then the payment<br />
is higher. Nevertheless, it seems that the average payment in cyber<br />
security sector is any way higher that in other parts of the<br />
e-services.</p><br />
<p>https://digi.geenius.ee/rubriik/uudis/5000-eurostest-palkadest-it-tootajad-saavadki-palju-palka/</p></li><br />
</ul><br />
==SOC==<br />
<p>A SOC is a facility where an organization’s network, applications,<br />
and endpoints are monitored and defended. The term was adapted from<br />
network operations centers (NOCs), where large telecommunication or<br />
corporate networks are monitored. When network security became more of a<br />
concern, security teams were formed within the NOCs, and eventually spun<br />
off into larger organizations of their own as the responsibilities of<br />
security teams grew increasingly complex and specialized. The security<br />
staff working in a security operations center are often called the SOC<br />
team.</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<p>Functions of the SOC team include, but are not limited to:</p><br />
<ol type="1"><br />
<li>Taking inventory of resources, to get a better understanding of the<br />
structure they are protecting.</li><br />
<li>Maintanence of the system, by constantly making updates and adding<br />
safeguards.</li><br />
<li>Monitoring the network for abnormalities with special tools.</li><br />
<li>Threat analysis of new attacks and vulnerabilities.</li><br />
<li>Responding to attacks, by acting as “first responders”. The SOC team<br />
will shut down and/or isolate endpoints, deleting files and lowering the<br />
impact as fast as possible.</li><br />
<li>Recovery of system stability and lost data. This may be done using<br />
backups, restarting endpoints or reconfiguring systems.</li><br />
<li>Logging all actions on the system, to be later used for analysis or<br />
forensics after an attack.</li><br />
<li>Investigating the root cause of an attack.</li><br />
<li>Auditing their own actions, to be in line with regulations of the<br />
organization, industry or governing body.</li><br />
</ol><br />
<p>https://www.trellix.com/en-us/security-awareness/operations/what-is-soc.html</p><br />
==CSIRT==<br />
<p>A CSIRT is a group that responds to security incidents when they<br />
occur. Key responsibilities of a CSIRT include: <br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<ul><br />
===Creating and maintaining an incident response plan (IRP)===<br />
An incident response plan (IRP) is a set of written instructions for<br />
detecting, responding to and limiting the effects of an information<br />
security event. Incident response plans provide instructions for<br />
responding to many potential scenarios, including data breaches, denial<br />
of service/distributed denial of service attacks, firewall breaches,<br />
virus or malware outbreaks or insider threats. Without an incident<br />
response plan in place, organizations may either not detect the attack<br />
in the first place, or not follow proper protocol to contain the threat<br />
and recover from it when a breach is detected.<br />
<p>https://www.stratacore.com/incidentresponseplan</p></li><br />
===Investigating and analyzing incidents===<br />
CSIRTs are also involved in improvement activities. After major<br />
computer security incidents occur, or when incidents are not handled in<br />
a timely or effective manner, a CSIRT will generally perform a<br />
postmortem of the incident and its response. This postmortem will<br />
identify the strengths and weakness of the response effort. Such reviews<br />
can identify weaknesses and holes in systems, infrastructure defenses,<br />
or policies that allowed the incident to take place. It can also<br />
identify problems with communication channels, interfaces, and<br />
procedures that inhibited the efficient resolution of the reported<br />
problem.<br />
<p>https://www.cisa.gov/uscert/bsi/articles/best-practices/incident-management/defining-computer-security-incident-response-teams</p><br />
<br />
===Managing internal communications and updates during or immediately after incidents occur===<br />
===Communicating with employees, shareholders, customers, and the press about incidents as needed===<br />
<p>There are various services within the CSIRT Services Framework that<br />
address communications, as they relate to security operations and<br />
incident response services. Some of these include Information Security<br />
Incident Coordination, Crisis Management Support, Vulnerability<br />
Disclosure, Situational Awareness Communication, and Awareness Building,<br />
to name a few. Sharing information and communicating with the general<br />
public and/or your constituency is appropriate in many different<br />
scenarios. These can range from proactive communications to reactive<br />
communications. Each scenario may be unique, and careful consideration<br />
should be given to when to release information to the public and what<br />
information should be released.</p><br />
<br />
<p>https://resources.sei.cmu.edu/asset_files/Handbook/2021_002_001_651819.pdf</p><br />
<br />
===Remediating incidents===<br />
Threat remediation is a strong and capable tool for fighting the<br />
cyber security compromises. As the word ‘remedy’ suggests, remediation<br />
process involves the treatment of a security breach. With the<br />
remediation practices, your cyber security team is able to eliminate<br />
suspicious activities and malicious attacks in the form of malware,<br />
ransomware, phishing and such. Even if you ‘kill’ the suspicious<br />
activity, the attackers can remain in your systems. If you want to<br />
contaminate and end the problem for good, your remediation processes<br />
must involve the detection of the cause. <ref name="logsign">Logsign, "What-is-remediation-in-cyber-security". Available: https://www.logsign.com/blog/what-is-remediation-in-cyber-security/. [Accessed 28 Apr 2022].</ref><br />
<br />
===Recommending technology, policy, governance, and training changes after security incidents===<br />
After all these actions, the SCIRT must contribute to the development<br />
of better policies, practices and has to recommend improvements. They<br />
are not working in the vacuum and their work has to create new and<br />
better standards for cyber security. <ref name="exabeam">Exabeam, "CSIRT". Available: https://www.exabeam.com/incident-response/csirt/ [Accessed 28 APr 2022].</ref><br />
<br />
==CERT==<br />
<p>The term “computer emergency response team” was coined in 1988. In<br />
response to the Morris worm attack that impacted thousands of servers on<br />
the Internet, DARPA funded the formation of the Computer Emergency<br />
Response Team Coordination Center (CERT-CC) at Carnegie Mellon<br />
University. The goal of CERT-CC was to help protect the internet by<br />
collecting and disseminating information on critical security<br />
vulnerabilities. Several other countries formed similar centers using<br />
the same acronym (despite threats of legal action by Carnegie Mellon for<br />
trademark infringement). Now the term CERT refers to any emergency<br />
response team that deals with cyber threats. Many people use CERT-CC<br />
interchangeably with CSIRT, though the charter of a CERT is information<br />
sharing in order to help other response teams respond to threats against<br />
their own infrastructure.</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<p>In general, the designation of CERT is helpful in applying real-world<br />
solutions to various cybersecurity problems. They may be government<br />
contractors or employees of a major corporation. For example, the U.S.<br />
Computer Emergency Readiness Team (US-CERT) operates under the U.S.<br />
Department of Homeland Security.</p><br />
<p>https://www.techopedia.com/definition/31003/computer-emergency-response-team-cert</p><br />
<p>In Estonia CERT is designated as CERT-EE. It was established in 2006,<br />
as an organization responsible for the management of security incidents<br />
in .ee computer networks. It is also a national contact point for<br />
international co-operation in the field of IT security.</p><br />
<p>https://www.ria.ee/en/cyber-security/cert-ee.html</p><br />
===Difference between SOC/CSIRT/CERT===<br />
<p>How CSIRTs differ from CERTs and SOCs There are overlapping<br />
responsibilities between a community emergency response team (CERT),<br />
computer security incident response team (CSIRT), and security<br />
operations center (SOC). To add to this confusion, frequently, the terms<br />
CERT and CSIRT are used interchangeably, despite the important<br />
differences.</p><br />
<figure><br />
<img src="images/image3.png" alt="Overlapping in images/image3.png" /><br />
<figcaption aria-hidden="true">Overlapping in<br />
images/image3.png</figcaption><br />
</figure><br />
==Understand the primary roles and characteristics of a CERT, CSIRT, and SOC.==<br />
<p>So, using strict definitions, a CERT collects and disseminates<br />
security information, typically for the benefit of a country or an<br />
industry. A CSIRT is a cross-functional team that responds to incidents<br />
on behalf of a country or an organization. A SOC is where a country or<br />
organization monitors and defends its network, servers, applications,<br />
and endpoints.</p><br />
<figure><br />
<img src="images/image4.png" alt="table of explanation images/image4" /><br />
<figcaption aria-hidden="true">table of explanation<br />
images/image4</figcaption><br />
</figure><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
==Future==<br />
<p>And the Cyber security problem is only getting bigger. According to a<br />
report published by Accenture, the number of cyber security breaches<br />
increased by 11 percent from 2017 to 2018. The cost of such breaches is<br />
astronomical–about $600 billion worldwide, according to the Economic<br />
Impact of Cybercrime report.</p><br />
<p>https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me</p><br />
<p>Job projections for cybersecurity are staggering. The Bureau of Labor<br />
Statistics in US predicts that careers in the cybersecurity field will<br />
grow by 32% by 2028. That makes cybersecurity one of the top 10<br />
fastest-growing jobs in the country. In the United States alone, jobs<br />
for Information Security Analysts are expected to grow by 15% by<br />
2024.</p><br />
<p>https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</p><br />
<p>Most likely this trend is also similar in other countries.</p><br />
<p>When checking Estonian job portals, there is a constant need for<br />
people for cyber security related positions. Also, linkedin search gives<br />
approximately 30 vacancies immediately. There are banks, logistics<br />
companies, e-shops, and software producers.</p><br />
<p>https://ee.linkedin.com/jobs/cyber-security-jobs?countryRedirected=1&amp;position=1&amp;pageNum=0</p><br />
<p>Trends that affect companies create need for constant cyber security<br />
services. Increasing number of home/remote offices require secure<br />
corporate networks and security of remote devices. One example is from<br />
this year, when sloppy remote desktop set-up paralyzed systems of 17<br />
companies.</p><br />
<p>https://www.aripaev.ee/uudised/2022/04/20/ria-lohakas-kaugtoolaua-seadistus-halvas-martsis-vahemalt-17-juhul-ettevotete-it-susteemid</p><br />
<p>Also, no service can exists without robust infrastructure - servers,<br />
databases, applications. As all previously mentioned devices and<br />
services are at constant scanning and surveillance. So, the breach<br />
detection and immediate action demands 24/7 services. Even if lot of<br />
things could be automated, there is a need for human specialists (at<br />
least, at the moment). Third growing field is also a forensic<br />
investigation, as every attack must be investigated in order to be ready<br />
to repel next attacks. So data recovery and evidence collection is<br />
another important field of work that need skilled and professional<br />
workers.</p><br />
<p>Even, if the specifics of the entity, be it CSIRT, CERT or SOC, are<br />
different, the fundamentals of the work are the same. Professional<br />
knowledge of the networks, operational systems, hardware, scripting, and<br />
several other wider IT related knowledge is needed. As there is no<br />
single way to reach to it, every single person can find one’s strongest<br />
sides and develop them with knowledge of weaker side, in order to know,<br />
when to as for help.</p><br />
<br />
</body><br />
</html></div>Mavaldhttps://wiki.itcollege.ee/index.php?title=Hiring_a_Cyber_Security_Incident_Analyst&diff=142191Hiring a Cyber Security Incident Analyst2022-05-01T15:02:43Z<p>Mavald: /* Audit and compliance knowledge */</p>
<hr />
<div>==A Cyber Security Incident Analyst==<br />
<br />
[[File:image1.png|600px|thumb|Job advertisement <ref>"Job Advertisement". Available at https://www.projectpeople.com/jobs/</ref>]]<br />
===Cyber security incident analyst in SOC/CSIRT/CERT===<br />
This article delves into the job title of Cyber Security Incident<br />
Analyst and provides an overview of the acronyms SOC/CSIRT/CERT. A brief<br />
history of the job is discussed here, as well as a possible career path,<br />
education, experience, and other characteristics required for work in<br />
computer security-related organizations. The article also provides a<br />
brief history of SOC/CSIRT/CERT, as well as a comparison of their<br />
differences and similarities.<br />
===Cyber Security Incident Analyst Skill Set===<br />
What skill set is expected from the Cyber Security Incident Analyst? Below written lines are taken from the same job advertisement depicted<br />
on the left side of this article:<br />
As a Security Incident Analyst your responsibilities will include:<br />
<ul><br />
<li>Continuous monitoring of security tooling</li><br />
<li>Performing regular and ad-hoc vulnerability assessments</li><br />
<li>Carrying out ‘spot checks’</li><br />
<li>Reporting vulnerabilities to the PVG via the alerts system</li><br />
<li>Maintaining and documenting logging systems</li><br />
<li>Developing centralized logging, reporting and intelligence<br />
platforms</li><br />
<li>‘Light touch’ penetration testing with open source tooling<br />
(Metasploit)</li><br />
</ul><br />
Knowledge &amp; Experience required:<br />
<ul><br />
<li>SOC, CSIRT or CERT operational environment experience</li><br />
<li>Windows / Linux experience</li><br />
<li>TCP /IP networking protocol knowledge</li><br />
<li>Experience reviewing and analyzing Security Events from various<br />
monitoring and logging sources</li><br />
<li>Experience in website and web application security assessment or<br />
penetration testing</li><br />
<li>Experience of using Metasploit</li><br />
<li>Scripting knowledge using BASH, Python, Perl, Ruby</li><br />
<li>Skills in Host and Network Forensics</li><br />
</ul><br />
As one can see the description of the duties is wide and also the<br />
knowledge and experience that is required is noteworthy. So, where to<br />
start to find out the way to get this kind of knowledge and<br />
expertize.<br />
===Possible career path===<br />
Next part of the paper is aiming to depict a possible ways, how to<br />
develop oneself, and move along the career pathway in cybersecurity<br />
field. Topics of development, education, experience and certification<br />
are covered.<br />
[[File:analystimage2.png|1000px|thumb|Career path <ref>"Possible Career Path". Available at https://www.cyberseek.org/pathway.html</ref>]]<br />
<br />
===Junior/Senior===<br />
Start with an entry-level job in IT. Hands-on experience is often the<br />
most effective way to prepare for certification exams. Start<br />
accumulating work experience with an entry-level role as a cybersecurity<br />
analyst. Many cybersecurity professionals start off in more general IT<br />
roles. The skills, practices, and technologies you’ll use as a<br />
cybersecurity professional will continue to evolve along with computer<br />
and network technology. The desire to learn, ability to problem solve,<br />
and attention to detail will serve you well in this field. Other, more<br />
technical skills and technologies to learn include:<ref name="certification">Popular Cyber Security Certificates [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications [Accessed 25 April 2022].</ref><br />
<br />
====SIEM tools (security information and event management)====<br />
Security Information and Event Management (SIEM) is a set of tools<br />
and services offering a holistic view of an organization’s information<br />
security. SIEM works by combining two technologies:<br />
<li>Security information management (SIM), which collects data from log<br />
files for analysis and reports on security threats and events, and</li><br />
<li>security event management (SEM), which conducts real-time system<br />
monitoring, notifies network admins about important issues and<br />
establishes correlations between security events. There are a number of<br />
security information and event management solutions on the market.<br />
ArcSight ESM, IBM QRadar and Splunk are among the most popular. <ref name="SIEM">Application security, SIEM [Online]. Available: https://www.imperva.com/learn/application-security/siem/. [Accessed 27 4 2022].</ref></li><br />
<br />
====Firewalls, Intrusion Detection Systems (IDS), and Intrusion Prevention Systems(IPS)====<br />
Firewalls can be two types, hardware and software firewalls. Software<br />
firewall is a firewall that is installed on a computer or server, and<br />
tasked with network security. It works with a wide variety of other<br />
technology security solutions to provide more robust and cohesive<br />
security for enterprises of all sizes. When a software firewall is<br />
installed on a server, it opens up like an umbrella of protection over<br />
all other computers connected to the network. It is able to monitor both<br />
incoming and outgoing traffic for potential risk or suspicious user<br />
behavior, and also makes setting security policies much easier, faster<br />
and more flexible. Hardware firewall is positioned between the network<br />
and devices, allowing traffic to funnel through the firewall for a close<br />
inspection and analysis. A hardware firewall, a term often<br />
interchangeable with network or next-generation firewall, protects the<br />
network gateways for an enterprise. Hardware firewall is physical<br />
hardware, installed between network elements and connected devices, and<br />
is tasked with filtering traffic for cyber threat to the network or<br />
devices. Filtering out unauthorized or suspicious users based on traffic<br />
analysis is one of the biggest benefits of hardware firewall. <ref name="sangfor">Sangfor, "What is Software Firewall? Difference between Hardware Firewall and Software Firewall, [Online]. Available: https://www.sangfor.com/blog/cybersecurity/what-is-software-firewall-difference-between-hardware-firewall-and-software-firewall [Accessed 26 4 2022].</ref><br />
<br />
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems<br />
(IPS) are both parts of the network infrastructure. IDS/IPS compare<br />
network packets to a cyberthreat database containing known signatures of<br />
cyberattacks — and flag any matching packets. IDS doesn’t alter the<br />
network packets in any way, whereas IPS prevents the packet from<br />
delivery based on the contents of the packet, much like how a firewall<br />
prevents traffic by IP address. <ref name="Varonis">Varonis, "What is Software Firewall? IDS vs. IPS: What is the Difference?, [Online]. Available: https://www.varonis.com/blog/ids-vs-ips [Accessed 26 4 2022].</ref><br />
<br />
====Digital forensics====<br />
Digital forensics is a branch of forensic science that focuses on<br />
identifying, acquiring, processing, analyzing, and reporting on data<br />
stored electronically. Electronic evidence is a component of almost all<br />
criminal activities and digital forensics support is crucial for law<br />
enforcement investigations. Electronic evidence can be collected from a<br />
wide array of sources, such as computers, smartphones, remote storage,<br />
unmanned aerial systems, shipborne equipment, and more.<ref name="interpol">Interpol, "Digital forensics". Available: https://www.interpol.int/How-we-work/Innovation/Digital-forensics. [Accessed 28 4 2022].</ref> <br />
Investigative process of digital forensics can be divided into several stages. There are four major stages: preservation, collection,<br />
examination, and analysis. All these four stages need a deep understanding of computers, technology across a broad spectrum, and cybersecurity principles and<br />
practices, a working knowledge of computers, networks, and coding, in-depth investigative abilities, critical-thinking skills and analytical talent the ability to effectively communicate and work with a<br />
wide range of people. <ref name="ecpi">"Digital forensics". Available: https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me. [Accessed 26 4 2022].</ref><br />
<br />
====Mobile device management====<br />
Mobile device management (MDM) is software that allows IT<br />
administrators to control, secure and enforce policies on smartphones,<br />
tablets and other endpoints. Mobile device management software emerged<br />
in the early 2000s as a way to control and secure the personal digital<br />
assistants and smartphones that business workers began to use. The<br />
consumer smartphone boom that started with the launch of the Apple<br />
iPhone in 2007 led to the bring your own device (BYOD) trend, which<br />
fueled further interest in MDM.<ref name="techtarget">Techtarget, "Mobile Device Management". Available: https://www.techtarget.com/searchmobilecomputing/definition/mobile-device-management [Accessed 27 4 2022].</ref><br />
<br />
====Data management====<br />
Sometimes the data management is neglected, but this part has a<br />
crucial role when learning for good cyber security practices. Majority<br />
of cyber security programs include a special courses on data management.<br />
Data management is a method of organizing and maintaining data processes<br />
that are required in almost every business operations. The benefits of<br />
data management can be found accounting, statistics, logistics planning<br />
and other disciplines including corporate computing.<ref name="GlobalUni">Global Universities, "MSc Data Management and Cyber Security". Available: https://globaluniversities.in/msc-data-management-cyber-security. [Accessed 26 Apr 2022].</ref><br />
Data governance (and management) play a fundamental role in<br />
protecting an organization’s data. Ensuring that the right people have<br />
the right access and that appropriate security controls are in place to<br />
protect each system or service, based on the criticality or sensitivity<br />
of the data sets these contain. <ref name="CyberMagazine">Cyber Security Magazine, "The Role of Data Governance in Cybersecurity". Available: https://cybersecurity-magazine.com/the-role-of-data-governance-in-cybersecurity/?utm_source=rss&amp;utm_medium=rss&amp;utm_campaign=the-role-of-data-governance-in-cybersecurity. [Accessed 26 Apr 2022].</ref><br />
<br />
====Application security development====<br />
Application security describes security measures at the application<br />
level that aim to prevent data or code within the app from being stolen<br />
or hijacked. It encompasses the security considerations that happen<br />
during application development and design, but it also involves systems<br />
and approaches to protect apps after they get deployed. Application<br />
security may include hardware, software, and procedures that identify or<br />
minimize security vulnerabilities.<ref name="vmware">VmWare, "What is application security?". Available: https://www.vmware.com/topics/glossary/content/application-security.html [Accessed 28 April 2022].</ref><br />
Application security development is important to ensure that your<br />
application is free from coding errors and bugs. And controls the risk<br />
and helps safeguard against security vulnerabilities. Application<br />
security development is the process of making applications more secure<br />
by finding and fixing security vulnerabilities. This is often done by<br />
enforcing software security best practices and using application<br />
security testing tools. <br />
<ref name="perforce">Perforce, "Application Security Development Best Practices". Available: https://www.perforce.com/blog/kw/application-security-development-best-practices. [Accessed 28 April 2022].</ref><br />
<br />
====Audit and compliance knowledge====<br />
A cyber security audit is designed to be a comprehensive review and<br />
analysis of your business’s IT infrastructure. It identifies threats and<br />
vulnerabilities, exposing weaknesses and high-risk practices.<br />
Regulations such as the EU GDPR (General Data Protection Regulation) can<br />
impose hefty penalties in the event of a breach that results in<br />
exploited data. A cyber security audit will help mitigate the<br />
consequences of a breach and demonstrate that your organization has<br />
taken the necessary steps to protect client and company data. <ref name="cyforsecure">Cyfor Secure, "What is a Cyber Security Audit and how can it help your organisation?". Available: https://cyforsecure.co.uk/services/cyber-assessment/cyber-security-audit/. [Accessed 28 April 2022].</ref><br />
<br />
Cybersecurity compliance is the organizational risk management method<br />
aligned with pre-defined security measures &amp; controls on how data<br />
confidentiality is ensured by its administrative procedures.<ref name="nordlayer">NordLayer, "Cybersecurity compliance: Everything you need to know". Available: https://nordlayer.com/blog/cybersecurity-compliance-everything-you-need-to-know/. [Accessed 28 April 2022].</ref><br />
All needed skills are developed through courses and certification.<br />
<br />
===Entry-Level Incident Response Positions===<br />
<p>It is not always possible to advance to the position of incident<br />
responder in a straight line. Many professionals advance from entry- to<br />
mid-level positions before becoming a real incident responder or a<br />
member of a computer emergency response team (CERT).<br /><br />
These are some examples:</p><br />
<ul><br />
<li><h5 id="network-administrator">Network administrator</h5><br />
<p>This position’s experience will help potential incident responders<br />
develop networking skills. Attention to detail, as well as the ability<br />
to sift through system configurations, site layouts, and general network<br />
and communication setups, are essential in this field.</p></li><br />
<li><h5 id="system-administrator">System administrator</h5><br />
<p>Another crucial beginning point for an incident responder is to learn<br />
how to manage resources inside your organization as well as user<br />
behavior. Understanding the potential damage that users, inadequate<br />
security setups, and ineffective IT policies and procedures can cause on<br />
your network can provide prospective candidates with insight into the<br />
human component of an incident.</p></li><br />
<li><h5 id="security-administrator">Security administrator</h5><br />
<p>In such a position, basic hacking skills, penetration testing, and<br />
intrusion detection are all learned, which are crucial incident<br />
responder skills when trying to replicate a breach or attack.<br />
Understanding the paths a cybercriminal will take when attempting to<br />
damage or obtain access to a system can greatly simplify the work of<br />
reverse engineering the incident.</p></li><br />
</ul><br />
<p>https://resources.infosecinstitute.com/topic/incident-responder-career-roadmap-entry-level-executive/</p><br />
<h3 id="mid-level-incident-response-positions">Mid-Level Incident<br />
Response Positions</h3><br />
<ul><br />
<li><h5<br />
id="computer-security-incident-response-team-csirt-engineer">Computer<br />
security incident response team (CSIRT) engineer</h5></li><br />
<li><h5 id="cyber-incident-responder">Cyber incident responder</h5></li><br />
<li><h5 id="incident-response-engineer">Incident response<br />
engineer</h5></li><br />
</ul><br />
<p>While each of these positions is different, they generally require<br />
very similar skills and characteristics in a candidate. At this level,<br />
personal characteristics such as problem solving, time management, and<br />
even presentation skills become more crucial as one’s career evolves<br />
into a management-facing role.</p><br />
<p>Technical skills include the ability to identify and minimize threats<br />
while maintaining communication with management and the rest of your<br />
team. Data analysis and evidence gathering become increasingly crucial,<br />
and the circumstances in which your services are deployed get more<br />
serious.</p><br />
<p>Problem-solving skills are crucial at this level of incident<br />
response, and as the stakes rise, so does the pressure in each<br />
situation. At this level, programming abilities are essential since<br />
incident responders may be needed to reverse engineer malicious code or<br />
even create patches for vulnerable network applications or services.</p><br />
<p>https://www.coursera.org/articles/popular-cybersecurity-certifications</p><br />
<h3 id="senior-level-incident-response-positions">Senior-Level Incident<br />
Response Positions</h3><br />
<ul><br />
<li><h5 id="intrusion-detection-specialist">Intrusion detection<br />
specialist:</h5></li><br />
</ul><br />
<p>A CISSP certification might help a potential candidate in preparing<br />
for the profession. The role of an intrusion detection specialist is to<br />
find and stop any unwanted communications.</p><br />
<ul><br />
<li><h5 id="incident-manager">Incident manager:</h5></li><br />
</ul><br />
<p>Expected to plan, oversee, manage, and supervise all incident<br />
response team actions. Is in charge of reporting all current events to<br />
senior management and stakeholders, as well as acting as the technical<br />
lead on active incidents for incident responders. Prepares threat and<br />
impact assessments and reports them known to management.</p><br />
<p>https://www.coursera.org/articles/popular-cybersecurity-certifications</p><br />
<br />
==Certificates== <br />
There is a vast number of different certificates and the road map to<br />
being a certified professional could be very different<ref name="Coursera">Coursera, "10 Popular Cybersecurity Certifications [2022 Updated]," [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications. [Accessed 30 Apr 2022].</ref><br />
<ref name="NICCS">NICCS, "Cybersecurity Certifications," [Online]. Available: hhttps://niccs.cisa.gov/about-niccs/cybersecurity-certifications. [Accessed 30 Apr 2022].</ref> . One possible<br />
approach is to start with basic certificates from the different branches<br />
of service and move to more specific and demanding focused<br />
certification. Also, some jobs require certain clearances, either from<br />
industry, or from the government. One small selection of different<br />
possible certificates is brought out in following paragraphs.<br />
<br />
Security+ is a CompTIA certification that is considered a basic cert<br />
among cybersecurity professionals. It covers the topics of risk<br />
management and threat assessment.<br />
Network+ is also offered by CompTIA this certification (like the name<br />
implies) focuses on networking infrastructure and operations. It is<br />
considered a foundational certification.<br />
The Certified Information Systems Security Professional (CISSP) is a<br />
more advanced certification designed for cybersecurity professionals<br />
with at least five years of work experience. The certification covers<br />
topics such as architecture, engineering, and management.</p><br />
The Certified Ethical Hacker (CEH) certification is also considered a<br />
more advanced cert because it generally requires that applicants have<br />
multiple years of work experience. The goal of an ethical hacker<br />
certification is to be able to understand how cyber attacks unfold in<br />
order to improve threat assessment and mitigation skills.<ref name="cyberguide">Cybersecurity Guide, "How to become a cybersecurity specialist", [Online]. Available: https://cybersecurityguide.org/careers/security-specialist/. [Accessed 27 April 2022].</ref><br />
This is definitely not all, when one looks for more information, following link could be searched, to get more in depth knowledge about<br />
different possibilities. Hereby, with the help of this matrix a possible taxonomy of different 436 listed certificates in branches are<br />
presented.<ref name="Pauljeremy">"Cybersecurity Roadmap," [Online]. Available: https://pauljerimy.com/2020/10/12/scr-oct-2020-update/. [Accessed 30 Apr 2022].</ref><br />
<br />
[[File:analystimage5.png|1000px|thumb|Certificate matrix <ref>"Certification roadmap". Available at https://pauljerimy.com/security-certification-roadmap</ref>]]<br />
<br />
=== Communication and Network Security===<br />
Communication and network security covers the ability to secure<br />
communication channels and networks. Topics include secure and converges<br />
protocols, wireless networks, cellular networks, hardware operations<br />
(warranty and redundant power), and third-party connectivity. IP<br />
networking are also included in this domain.<br />
===Identity and Access Management===<br />
The identity and access management domain covers the attacks that<br />
target the human gateway to gain access to data. Other topics include<br />
ways to identify users with rights to access the information and<br />
servers. Identity and access management covers the topics of<br />
applications, Single sign-on authentication, privilege escalation,<br />
Kerberos, rule-based or risk-based access control, proofing and<br />
establishment of identity.<br />
===Security Architecture and Engineering===<br />
The security architecture and engineering domain covers important<br />
topics concerning security engineering plans, designs and principles,<br />
Topics include assessing and mitigating information system<br />
vulnerabilities, fundamental concepts of security models and security<br />
architectures in critical areas like access control. Cloud systems,<br />
cryptography, system infiltrations (ransomware, fault-injection and<br />
more) and virtualized systems are also covered in this domain.<br />
===Asset Security===<br />
The Asset Security domain deals with the issues related to the<br />
collection, storage, maintenance, retention and destruction of data. It<br />
also covers knowledge of different roles regarding data handling (owner,<br />
controller and custodian) as well as data protection methods and data<br />
states. Other topics include resource provision, asset classification<br />
and data lifecycle management.<br />
===Security and Risk Management===<br />
The security and risk management domain covers general on skills<br />
related to the implementation of user awareness programs as well as<br />
security procedures. Emphasis is also placed on risk management<br />
concerning the acquisition of new services, hardware and software<br />
(supply chain). Other skills include social engineering defense<br />
mechanisms.<br />
===Security Assessment and Testing===<br />
The security assessment and testing domain deals with all the<br />
techniques and tools used to find system vulnerabilities, weaknesses and<br />
potential areas of concern not addressed by security procedures and<br />
policies. Attack simulations, vulnerability assessment, compliance<br />
checks, and ethical disclosure also fall under this domain.<br />
===Software Security===<br />
The software development security domain deals with implementing<br />
software-based security protocols within environment for which the IT<br />
professional is responsible. Risk analysis, vulnerability identification<br />
and auditing of source codes are all covered in this subset. Additional<br />
topics include software-designed security, maturity models, development<br />
methodologies, open-source and third-party development security.<br />
===Security operations===<br />
The security operations domain covers topics ranging from<br />
investigations and digital forensic to detection and intrusion<br />
prevention tools, sandboxing and firewalls. Topics include user and<br />
entity behavior analytics, threat intelligence (threat hunting and<br />
threat feeds) log management, artifacts (mobile, computer and network),<br />
machine learning and AI-based tools, penetration testing, and<br />
exploitation development. These for sub-domains are lister here.</p><br />
<li>Forensics</li><br />
<li>Incident Handling</li><br />
<li>Penetration Testing</li><br />
<li>Exploitation</li><br />
<br />
==Education==<br />
<p>The entry level monitoring specialist is hired by Estonian<br />
Information System Authority even if there is no formal IT education,<br />
but readiness to learn and moderate knowledge of different operation<br />
systems is enough to start the career.</p><br />
<p>https://www.cv.ee/en/vacancy/792782/riigi-infosusteemi-amet/seirespetsialist-tule-eesti-kuberruumi-valvuriks</p><br />
<p>Nevertheless, like most other high qualification careers jobs falling<br />
under the cybersecurity specialist category require some form of formal<br />
education. However, since cybersecurity specialist jobs can fall across<br />
a wide spectrum of job descriptions and responsibilities, it is possible<br />
to obtain a specialist job after completing many levels of different<br />
computer related education.</p><br />
<p>If one is looking for a cybersecurity related education, for example<br />
in EU, 137 courses/programs could be found that relate to keyword IT or<br />
cybersecurity.</p><br />
<p>https://www.enisa.europa.eu/topics/cybersecurity-education/education-map/education-courses</p><br />
<p>Also, there is a great amount of discussion, if cuber security<br />
professional should have a degree or would be certification just enough.<br />
One interesting table is produces by Franklin University that compares<br />
benefits and/or drawbacks of each type of credential.</p><br />
<figure><br />
<img src="images/image11.png" alt="Comparison MSc vs certificate" /><br />
<figcaption aria-hidden="true">Comparison MSc vs<br />
certificate</figcaption><br />
</figure><br />
<p>Certifications are generally good for people with little practical<br />
experience because they are known quantities in the industry and can<br />
help you get your foot in the door. They set a minimum knowledge bar.<br />
But some certifications are viewed more favorably than others.<br />
Certifications with renewal requirements are viewed better by hiring<br />
managers, but they also more costly in the long run because of the need<br />
for continuing education. Certifications are also good for showing<br />
in-depth expertise in a specialization within cybersecurity. Depending<br />
on your career goals, it may be advantageous to have a master’s<br />
degree—which shows your breadth of knowledge, critical thinking and<br />
leadership skills—and a certificate—which shows specific skill<br />
competency.</p><br />
<p>https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</p><br />
<p>As IT (Cyber) Security is still a relatively young discipline,<br />
universities and colleges are still figuring out which is the best<br />
approach for their degrees. Study programmes and curricula in Cyber<br />
Security are different. In general, here are the duration of Cyber<br />
Security degrees:</p><br />
<ul><br />
<li><p>Bachelor’s degrees in Cyber Security take 3 or 4 years in most<br />
countries.</p></li><br />
<li><p>Master’s courses in Cyber Security take between 1-2 years to<br />
complete.</p></li><br />
<li><p>PhD programmes in Cyber Security last 3-5 years. Some only take 1<br />
or 2 years, but they are less common.</p><br />
<p>https://www.mastersportal.com/articles/2722/why-you-should-study-a-cyber-security-degree-in-2022.html</p></li><br />
</ul><br />
<p>Generalization could me made that on bachelor level the general<br />
knowledge about the cyber issues are obtained. On master level the<br />
specialization courses are taken and the person can choose more specific<br />
topics to study. It is on master level where strengths of the cyber<br />
specialist can be developed further and up-do date knowledge obtained in<br />
specifics. PhD is serious science and involves teaching, lot of<br />
scientific work and writing for publications.</p><br />
==Salary==<br />
<p>Even if the salary can be very different, compared to the skills and<br />
experience, an generalization can be made. Cyber Security professionals<br />
in CSIRT, and in other entities earn quite well, from the start. First,<br />
some comparison from the United States. The average CSIRT analyst salary<br />
in the USA is $97,500 per year or $50 per hour. Entry level positions<br />
start at $48,875 per year while most experienced workers make up to<br />
$135,373 per year.</p><br />
<p>https://www.talent.com/salary?job=csirt+analyst</p><br />
<p>There are multiple positions you can occupy in this field. They have<br />
in common great salaries and high demand for technical skills, attention<br />
to details, problem-solving mentality, and the ability to analyze risks.<br />
Here are the average annual salaries in the United States, according to<br />
Payscale:</p><br />
<p>https://www.payscale.com/</p><br />
<ul><br />
<li><p>Cryptographer – 100,000 USD</p></li><br />
<li><p>Information Security Officer – 91,000 USD</p></li><br />
<li><p>Security Assessor – 90,000 USD</p></li><br />
<li><p>Security Engineer – 88,000 USD</p></li><br />
<li><p>Penetration Tester – 81,000 USD</p></li><br />
<li><p>Forensics Expert – 71,000 USD</p></li><br />
<li><p>Security Administrator – 65,000 USD</p><br />
<p>https://www.mastersportal.com/articles/2722/why-you-should-study-a-cyber-security-degree-in-2022.html</p><br />
<p>When looking into salaries in Estonia, one can find that there is a<br />
discussion that private sector is taking a toll from the public sector,<br />
and that the salaries in important agencies, as Information System<br />
Authority loose their employees to the better paid positions in private<br />
sector.</p><br />
<p>https://digi.geenius.ee/rubriik/uudis/kui-palju-riigi-jaoks-olulised-it-tootajad-tegelikult-palka-saavad/<br />
https://tehnika.postimees.ee/6887428/riigi-it-tootajate-palgamaarad-kasvasid</p><br />
<p>But there is also a different view that average private sector worker<br />
could be hired as a top specialist in public sector and then the payment<br />
is higher. Nevertheless, it seems that the average payment in cyber<br />
security sector is any way higher that in other parts of the<br />
e-services.</p><br />
<p>https://digi.geenius.ee/rubriik/uudis/5000-eurostest-palkadest-it-tootajad-saavadki-palju-palka/</p></li><br />
</ul><br />
==SOC==<br />
<p>A SOC is a facility where an organization’s network, applications,<br />
and endpoints are monitored and defended. The term was adapted from<br />
network operations centers (NOCs), where large telecommunication or<br />
corporate networks are monitored. When network security became more of a<br />
concern, security teams were formed within the NOCs, and eventually spun<br />
off into larger organizations of their own as the responsibilities of<br />
security teams grew increasingly complex and specialized. The security<br />
staff working in a security operations center are often called the SOC<br />
team.</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<p>Functions of the SOC team include, but are not limited to:</p><br />
<ol type="1"><br />
<li>Taking inventory of resources, to get a better understanding of the<br />
structure they are protecting.</li><br />
<li>Maintanence of the system, by constantly making updates and adding<br />
safeguards.</li><br />
<li>Monitoring the network for abnormalities with special tools.</li><br />
<li>Threat analysis of new attacks and vulnerabilities.</li><br />
<li>Responding to attacks, by acting as “first responders”. The SOC team<br />
will shut down and/or isolate endpoints, deleting files and lowering the<br />
impact as fast as possible.</li><br />
<li>Recovery of system stability and lost data. This may be done using<br />
backups, restarting endpoints or reconfiguring systems.</li><br />
<li>Logging all actions on the system, to be later used for analysis or<br />
forensics after an attack.</li><br />
<li>Investigating the root cause of an attack.</li><br />
<li>Auditing their own actions, to be in line with regulations of the<br />
organization, industry or governing body.</li><br />
</ol><br />
<p>https://www.trellix.com/en-us/security-awareness/operations/what-is-soc.html</p><br />
==CSIRT==<br />
<p>A CSIRT is a group that responds to security incidents when they<br />
occur. Key responsibilities of a CSIRT include: <br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<ul><br />
===Creating and maintaining an incident response plan (IRP)===<br />
An incident response plan (IRP) is a set of written instructions for<br />
detecting, responding to and limiting the effects of an information<br />
security event. Incident response plans provide instructions for<br />
responding to many potential scenarios, including data breaches, denial<br />
of service/distributed denial of service attacks, firewall breaches,<br />
virus or malware outbreaks or insider threats. Without an incident<br />
response plan in place, organizations may either not detect the attack<br />
in the first place, or not follow proper protocol to contain the threat<br />
and recover from it when a breach is detected.<br />
<p>https://www.stratacore.com/incidentresponseplan</p></li><br />
===Investigating and analyzing incidents===<br />
CSIRTs are also involved in improvement activities. After major<br />
computer security incidents occur, or when incidents are not handled in<br />
a timely or effective manner, a CSIRT will generally perform a<br />
postmortem of the incident and its response. This postmortem will<br />
identify the strengths and weakness of the response effort. Such reviews<br />
can identify weaknesses and holes in systems, infrastructure defenses,<br />
or policies that allowed the incident to take place. It can also<br />
identify problems with communication channels, interfaces, and<br />
procedures that inhibited the efficient resolution of the reported<br />
problem.<br />
<p>https://www.cisa.gov/uscert/bsi/articles/best-practices/incident-management/defining-computer-security-incident-response-teams</p><br />
<br />
===Managing internal communications and updates during or immediately after incidents occur===<br />
===Communicating with employees, shareholders, customers, and the press about incidents as needed===<br />
<p>There are various services within the CSIRT Services Framework that<br />
address communications, as they relate to security operations and<br />
incident response services. Some of these include Information Security<br />
Incident Coordination, Crisis Management Support, Vulnerability<br />
Disclosure, Situational Awareness Communication, and Awareness Building,<br />
to name a few. Sharing information and communicating with the general<br />
public and/or your constituency is appropriate in many different<br />
scenarios. These can range from proactive communications to reactive<br />
communications. Each scenario may be unique, and careful consideration<br />
should be given to when to release information to the public and what<br />
information should be released.</p><br />
<br />
<p>https://resources.sei.cmu.edu/asset_files/Handbook/2021_002_001_651819.pdf</p><br />
<br />
===Remediating incidents===<br />
Threat remediation is a strong and capable tool for fighting the<br />
cyber security compromises. As the word ‘remedy’ suggests, remediation<br />
process involves the treatment of a security breach. With the<br />
remediation practices, your cyber security team is able to eliminate<br />
suspicious activities and malicious attacks in the form of malware,<br />
ransomware, phishing and such. Even if you ‘kill’ the suspicious<br />
activity, the attackers can remain in your systems. If you want to<br />
contaminate and end the problem for good, your remediation processes<br />
must involve the detection of the cause. <ref name="logsign">Logsign, "What-is-remediation-in-cyber-security". Available: https://www.logsign.com/blog/what-is-remediation-in-cyber-security/. [Accessed 28 Apr 2022].</ref><br />
<br />
===Recommending technology, policy, governance, and training changes after security incidents===<br />
After all these actions, the SCIRT must contribute to the development<br />
of better policies, practices and has to recommend improvements. They<br />
are not working in the vacuum and their work has to create new and<br />
better standards for cyber security. <ref name="exabeam">Exabeam, "CSIRT". Available: https://www.exabeam.com/incident-response/csirt/ [Accessed 28 APr 2022].</ref><br />
<br />
==CERT==<br />
<p>The term “computer emergency response team” was coined in 1988. In<br />
response to the Morris worm attack that impacted thousands of servers on<br />
the Internet, DARPA funded the formation of the Computer Emergency<br />
Response Team Coordination Center (CERT-CC) at Carnegie Mellon<br />
University. The goal of CERT-CC was to help protect the internet by<br />
collecting and disseminating information on critical security<br />
vulnerabilities. Several other countries formed similar centers using<br />
the same acronym (despite threats of legal action by Carnegie Mellon for<br />
trademark infringement). Now the term CERT refers to any emergency<br />
response team that deals with cyber threats. Many people use CERT-CC<br />
interchangeably with CSIRT, though the charter of a CERT is information<br />
sharing in order to help other response teams respond to threats against<br />
their own infrastructure.</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<p>In general, the designation of CERT is helpful in applying real-world<br />
solutions to various cybersecurity problems. They may be government<br />
contractors or employees of a major corporation. For example, the U.S.<br />
Computer Emergency Readiness Team (US-CERT) operates under the U.S.<br />
Department of Homeland Security.</p><br />
<p>https://www.techopedia.com/definition/31003/computer-emergency-response-team-cert</p><br />
<p>In Estonia CERT is designated as CERT-EE. It was established in 2006,<br />
as an organization responsible for the management of security incidents<br />
in .ee computer networks. It is also a national contact point for<br />
international co-operation in the field of IT security.</p><br />
<p>https://www.ria.ee/en/cyber-security/cert-ee.html</p><br />
===Difference between SOC/CSIRT/CERT===<br />
<p>How CSIRTs differ from CERTs and SOCs There are overlapping<br />
responsibilities between a community emergency response team (CERT),<br />
computer security incident response team (CSIRT), and security<br />
operations center (SOC). To add to this confusion, frequently, the terms<br />
CERT and CSIRT are used interchangeably, despite the important<br />
differences.</p><br />
<figure><br />
<img src="images/image3.png" alt="Overlapping in images/image3.png" /><br />
<figcaption aria-hidden="true">Overlapping in<br />
images/image3.png</figcaption><br />
</figure><br />
==Understand the primary roles and characteristics of a CERT, CSIRT, and SOC.==<br />
<p>So, using strict definitions, a CERT collects and disseminates<br />
security information, typically for the benefit of a country or an<br />
industry. A CSIRT is a cross-functional team that responds to incidents<br />
on behalf of a country or an organization. A SOC is where a country or<br />
organization monitors and defends its network, servers, applications,<br />
and endpoints.</p><br />
<figure><br />
<img src="images/image4.png" alt="table of explanation images/image4" /><br />
<figcaption aria-hidden="true">table of explanation<br />
images/image4</figcaption><br />
</figure><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
==Future==<br />
<p>And the Cyber security problem is only getting bigger. According to a<br />
report published by Accenture, the number of cyber security breaches<br />
increased by 11 percent from 2017 to 2018. The cost of such breaches is<br />
astronomical–about $600 billion worldwide, according to the Economic<br />
Impact of Cybercrime report.</p><br />
<p>https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me</p><br />
<p>Job projections for cybersecurity are staggering. The Bureau of Labor<br />
Statistics in US predicts that careers in the cybersecurity field will<br />
grow by 32% by 2028. That makes cybersecurity one of the top 10<br />
fastest-growing jobs in the country. In the United States alone, jobs<br />
for Information Security Analysts are expected to grow by 15% by<br />
2024.</p><br />
<p>https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</p><br />
<p>Most likely this trend is also similar in other countries.</p><br />
<p>When checking Estonian job portals, there is a constant need for<br />
people for cyber security related positions. Also, linkedin search gives<br />
approximately 30 vacancies immediately. There are banks, logistics<br />
companies, e-shops, and software producers.</p><br />
<p>https://ee.linkedin.com/jobs/cyber-security-jobs?countryRedirected=1&amp;position=1&amp;pageNum=0</p><br />
<p>Trends that affect companies create need for constant cyber security<br />
services. Increasing number of home/remote offices require secure<br />
corporate networks and security of remote devices. One example is from<br />
this year, when sloppy remote desktop set-up paralyzed systems of 17<br />
companies.</p><br />
<p>https://www.aripaev.ee/uudised/2022/04/20/ria-lohakas-kaugtoolaua-seadistus-halvas-martsis-vahemalt-17-juhul-ettevotete-it-susteemid</p><br />
<p>Also, no service can exists without robust infrastructure - servers,<br />
databases, applications. As all previously mentioned devices and<br />
services are at constant scanning and surveillance. So, the breach<br />
detection and immediate action demands 24/7 services. Even if lot of<br />
things could be automated, there is a need for human specialists (at<br />
least, at the moment). Third growing field is also a forensic<br />
investigation, as every attack must be investigated in order to be ready<br />
to repel next attacks. So data recovery and evidence collection is<br />
another important field of work that need skilled and professional<br />
workers.</p><br />
<p>Even, if the specifics of the entity, be it CSIRT, CERT or SOC, are<br />
different, the fundamentals of the work are the same. Professional<br />
knowledge of the networks, operational systems, hardware, scripting, and<br />
several other wider IT related knowledge is needed. As there is no<br />
single way to reach to it, every single person can find one’s strongest<br />
sides and develop them with knowledge of weaker side, in order to know,<br />
when to as for help.</p><br />
<br />
</body><br />
</html></div>Mavaldhttps://wiki.itcollege.ee/index.php?title=Hiring_a_Cyber_Security_Incident_Analyst&diff=142188Hiring a Cyber Security Incident Analyst2022-05-01T14:57:04Z<p>Mavald: /* Application security development */</p>
<hr />
<div>==A Cyber Security Incident Analyst==<br />
<br />
[[File:image1.png|600px|thumb|Job advertisement <ref>"Job Advertisement". Available at https://www.projectpeople.com/jobs/</ref>]]<br />
===Cyber security incident analyst in SOC/CSIRT/CERT===<br />
This article delves into the job title of Cyber Security Incident<br />
Analyst and provides an overview of the acronyms SOC/CSIRT/CERT. A brief<br />
history of the job is discussed here, as well as a possible career path,<br />
education, experience, and other characteristics required for work in<br />
computer security-related organizations. The article also provides a<br />
brief history of SOC/CSIRT/CERT, as well as a comparison of their<br />
differences and similarities.<br />
===Cyber Security Incident Analyst Skill Set===<br />
What skill set is expected from the Cyber Security Incident Analyst? Below written lines are taken from the same job advertisement depicted<br />
on the left side of this article:<br />
As a Security Incident Analyst your responsibilities will include:<br />
<ul><br />
<li>Continuous monitoring of security tooling</li><br />
<li>Performing regular and ad-hoc vulnerability assessments</li><br />
<li>Carrying out ‘spot checks’</li><br />
<li>Reporting vulnerabilities to the PVG via the alerts system</li><br />
<li>Maintaining and documenting logging systems</li><br />
<li>Developing centralized logging, reporting and intelligence<br />
platforms</li><br />
<li>‘Light touch’ penetration testing with open source tooling<br />
(Metasploit)</li><br />
</ul><br />
Knowledge &amp; Experience required:<br />
<ul><br />
<li>SOC, CSIRT or CERT operational environment experience</li><br />
<li>Windows / Linux experience</li><br />
<li>TCP /IP networking protocol knowledge</li><br />
<li>Experience reviewing and analyzing Security Events from various<br />
monitoring and logging sources</li><br />
<li>Experience in website and web application security assessment or<br />
penetration testing</li><br />
<li>Experience of using Metasploit</li><br />
<li>Scripting knowledge using BASH, Python, Perl, Ruby</li><br />
<li>Skills in Host and Network Forensics</li><br />
</ul><br />
As one can see the description of the duties is wide and also the<br />
knowledge and experience that is required is noteworthy. So, where to<br />
start to find out the way to get this kind of knowledge and<br />
expertize.<br />
===Possible career path===<br />
Next part of the paper is aiming to depict a possible ways, how to<br />
develop oneself, and move along the career pathway in cybersecurity<br />
field. Topics of development, education, experience and certification<br />
are covered.<br />
[[File:analystimage2.png|1000px|thumb|Career path <ref>"Possible Career Path". Available at https://www.cyberseek.org/pathway.html</ref>]]<br />
<br />
===Junior/Senior===<br />
Start with an entry-level job in IT. Hands-on experience is often the<br />
most effective way to prepare for certification exams. Start<br />
accumulating work experience with an entry-level role as a cybersecurity<br />
analyst. Many cybersecurity professionals start off in more general IT<br />
roles. The skills, practices, and technologies you’ll use as a<br />
cybersecurity professional will continue to evolve along with computer<br />
and network technology. The desire to learn, ability to problem solve,<br />
and attention to detail will serve you well in this field. Other, more<br />
technical skills and technologies to learn include:<ref name="certification">Popular Cyber Security Certificates [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications [Accessed 25 April 2022].</ref><br />
<br />
====SIEM tools (security information and event management)====<br />
Security Information and Event Management (SIEM) is a set of tools<br />
and services offering a holistic view of an organization’s information<br />
security. SIEM works by combining two technologies:<br />
<li>Security information management (SIM), which collects data from log<br />
files for analysis and reports on security threats and events, and</li><br />
<li>security event management (SEM), which conducts real-time system<br />
monitoring, notifies network admins about important issues and<br />
establishes correlations between security events. There are a number of<br />
security information and event management solutions on the market.<br />
ArcSight ESM, IBM QRadar and Splunk are among the most popular. <ref name="SIEM">Application security, SIEM [Online]. Available: https://www.imperva.com/learn/application-security/siem/. [Accessed 27 4 2022].</ref></li><br />
<br />
====Firewalls, Intrusion Detection Systems (IDS), and Intrusion Prevention Systems(IPS)====<br />
Firewalls can be two types, hardware and software firewalls. Software<br />
firewall is a firewall that is installed on a computer or server, and<br />
tasked with network security. It works with a wide variety of other<br />
technology security solutions to provide more robust and cohesive<br />
security for enterprises of all sizes. When a software firewall is<br />
installed on a server, it opens up like an umbrella of protection over<br />
all other computers connected to the network. It is able to monitor both<br />
incoming and outgoing traffic for potential risk or suspicious user<br />
behavior, and also makes setting security policies much easier, faster<br />
and more flexible. Hardware firewall is positioned between the network<br />
and devices, allowing traffic to funnel through the firewall for a close<br />
inspection and analysis. A hardware firewall, a term often<br />
interchangeable with network or next-generation firewall, protects the<br />
network gateways for an enterprise. Hardware firewall is physical<br />
hardware, installed between network elements and connected devices, and<br />
is tasked with filtering traffic for cyber threat to the network or<br />
devices. Filtering out unauthorized or suspicious users based on traffic<br />
analysis is one of the biggest benefits of hardware firewall. <ref name="sangfor">Sangfor, "What is Software Firewall? Difference between Hardware Firewall and Software Firewall, [Online]. Available: https://www.sangfor.com/blog/cybersecurity/what-is-software-firewall-difference-between-hardware-firewall-and-software-firewall [Accessed 26 4 2022].</ref><br />
<br />
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems<br />
(IPS) are both parts of the network infrastructure. IDS/IPS compare<br />
network packets to a cyberthreat database containing known signatures of<br />
cyberattacks — and flag any matching packets. IDS doesn’t alter the<br />
network packets in any way, whereas IPS prevents the packet from<br />
delivery based on the contents of the packet, much like how a firewall<br />
prevents traffic by IP address. <ref name="Varonis">Varonis, "What is Software Firewall? IDS vs. IPS: What is the Difference?, [Online]. Available: https://www.varonis.com/blog/ids-vs-ips [Accessed 26 4 2022].</ref><br />
<br />
====Digital forensics====<br />
Digital forensics is a branch of forensic science that focuses on<br />
identifying, acquiring, processing, analyzing, and reporting on data<br />
stored electronically. Electronic evidence is a component of almost all<br />
criminal activities and digital forensics support is crucial for law<br />
enforcement investigations. Electronic evidence can be collected from a<br />
wide array of sources, such as computers, smartphones, remote storage,<br />
unmanned aerial systems, shipborne equipment, and more.<ref name="interpol">Interpol, "Digital forensics". Available: https://www.interpol.int/How-we-work/Innovation/Digital-forensics. [Accessed 28 4 2022].</ref> <br />
Investigative process of digital forensics can be divided into several stages. There are four major stages: preservation, collection,<br />
examination, and analysis. All these four stages need a deep understanding of computers, technology across a broad spectrum, and cybersecurity principles and<br />
practices, a working knowledge of computers, networks, and coding, in-depth investigative abilities, critical-thinking skills and analytical talent the ability to effectively communicate and work with a<br />
wide range of people. <ref name="ecpi">"Digital forensics". Available: https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me. [Accessed 26 4 2022].</ref><br />
<br />
====Mobile device management====<br />
Mobile device management (MDM) is software that allows IT<br />
administrators to control, secure and enforce policies on smartphones,<br />
tablets and other endpoints. Mobile device management software emerged<br />
in the early 2000s as a way to control and secure the personal digital<br />
assistants and smartphones that business workers began to use. The<br />
consumer smartphone boom that started with the launch of the Apple<br />
iPhone in 2007 led to the bring your own device (BYOD) trend, which<br />
fueled further interest in MDM.<ref name="techtarget">Techtarget, "Mobile Device Management". Available: https://www.techtarget.com/searchmobilecomputing/definition/mobile-device-management [Accessed 27 4 2022].</ref><br />
<br />
====Data management====<br />
Sometimes the data management is neglected, but this part has a<br />
crucial role when learning for good cyber security practices. Majority<br />
of cyber security programs include a special courses on data management.<br />
Data management is a method of organizing and maintaining data processes<br />
that are required in almost every business operations. The benefits of<br />
data management can be found accounting, statistics, logistics planning<br />
and other disciplines including corporate computing.<ref name="GlobalUni">Global Universities, "MSc Data Management and Cyber Security". Available: https://globaluniversities.in/msc-data-management-cyber-security. [Accessed 26 Apr 2022].</ref><br />
Data governance (and management) play a fundamental role in<br />
protecting an organization’s data. Ensuring that the right people have<br />
the right access and that appropriate security controls are in place to<br />
protect each system or service, based on the criticality or sensitivity<br />
of the data sets these contain. <ref name="CyberMagazine">Cyber Security Magazine, "The Role of Data Governance in Cybersecurity". Available: https://cybersecurity-magazine.com/the-role-of-data-governance-in-cybersecurity/?utm_source=rss&amp;utm_medium=rss&amp;utm_campaign=the-role-of-data-governance-in-cybersecurity. [Accessed 26 Apr 2022].</ref><br />
<br />
====Application security development====<br />
Application security describes security measures at the application<br />
level that aim to prevent data or code within the app from being stolen<br />
or hijacked. It encompasses the security considerations that happen<br />
during application development and design, but it also involves systems<br />
and approaches to protect apps after they get deployed. Application<br />
security may include hardware, software, and procedures that identify or<br />
minimize security vulnerabilities.<ref name="vmware">VmWare, "What is application security?". Available: https://www.vmware.com/topics/glossary/content/application-security.html [Accessed 28 April 2022].</ref><br />
Application security development is important to ensure that your<br />
application is free from coding errors and bugs. And controls the risk<br />
and helps safeguard against security vulnerabilities. Application<br />
security development is the process of making applications more secure<br />
by finding and fixing security vulnerabilities. This is often done by<br />
enforcing software security best practices and using application<br />
security testing tools. <br />
<ref name="perforce">Perforce, "Application Security Development Best Practices". Available: https://www.perforce.com/blog/kw/application-security-development-best-practices. [Accessed 28 April 2022].</ref><br />
<br />
====Audit and compliance knowledge====<br />
A cyber security audit is designed to be a comprehensive review and<br />
analysis of your business’s IT infrastructure. It identifies threats and<br />
vulnerabilities, exposing weaknesses and high-risk practices.<br />
Regulations such as the EU GDPR (General Data Protection Regulation) can<br />
impose hefty penalties in the event of a breach that results in<br />
exploited data. A cyber security audit will help mitigate the<br />
consequences of a breach and demonstrate that your organization has<br />
taken the necessary steps to protect client and company data.</p><br />
<p>https://cyforsecure.co.uk/services/cyber-assessment/cyber-security-audit/</p><br />
<p>Cybersecurity compliance is the organizational risk management method<br />
aligned with pre-defined security measures &amp; controls on how data<br />
confidentiality is ensured by its administrational procedures.</p><br />
<p>https://nordlayer.com/blog/cybersecurity-compliance-everything-you-need-to-know/</p><br />
<p>All needed skills are developed through courses and<br />
certification.</p></li><br />
</ul><br />
===Entry-Level Incident Response Positions===<br />
<p>It is not always possible to advance to the position of incident<br />
responder in a straight line. Many professionals advance from entry- to<br />
mid-level positions before becoming a real incident responder or a<br />
member of a computer emergency response team (CERT).<br /><br />
These are some examples:</p><br />
<ul><br />
<li><h5 id="network-administrator">Network administrator</h5><br />
<p>This position’s experience will help potential incident responders<br />
develop networking skills. Attention to detail, as well as the ability<br />
to sift through system configurations, site layouts, and general network<br />
and communication setups, are essential in this field.</p></li><br />
<li><h5 id="system-administrator">System administrator</h5><br />
<p>Another crucial beginning point for an incident responder is to learn<br />
how to manage resources inside your organization as well as user<br />
behavior. Understanding the potential damage that users, inadequate<br />
security setups, and ineffective IT policies and procedures can cause on<br />
your network can provide prospective candidates with insight into the<br />
human component of an incident.</p></li><br />
<li><h5 id="security-administrator">Security administrator</h5><br />
<p>In such a position, basic hacking skills, penetration testing, and<br />
intrusion detection are all learned, which are crucial incident<br />
responder skills when trying to replicate a breach or attack.<br />
Understanding the paths a cybercriminal will take when attempting to<br />
damage or obtain access to a system can greatly simplify the work of<br />
reverse engineering the incident.</p></li><br />
</ul><br />
<p>https://resources.infosecinstitute.com/topic/incident-responder-career-roadmap-entry-level-executive/</p><br />
<h3 id="mid-level-incident-response-positions">Mid-Level Incident<br />
Response Positions</h3><br />
<ul><br />
<li><h5<br />
id="computer-security-incident-response-team-csirt-engineer">Computer<br />
security incident response team (CSIRT) engineer</h5></li><br />
<li><h5 id="cyber-incident-responder">Cyber incident responder</h5></li><br />
<li><h5 id="incident-response-engineer">Incident response<br />
engineer</h5></li><br />
</ul><br />
<p>While each of these positions is different, they generally require<br />
very similar skills and characteristics in a candidate. At this level,<br />
personal characteristics such as problem solving, time management, and<br />
even presentation skills become more crucial as one’s career evolves<br />
into a management-facing role.</p><br />
<p>Technical skills include the ability to identify and minimize threats<br />
while maintaining communication with management and the rest of your<br />
team. Data analysis and evidence gathering become increasingly crucial,<br />
and the circumstances in which your services are deployed get more<br />
serious.</p><br />
<p>Problem-solving skills are crucial at this level of incident<br />
response, and as the stakes rise, so does the pressure in each<br />
situation. At this level, programming abilities are essential since<br />
incident responders may be needed to reverse engineer malicious code or<br />
even create patches for vulnerable network applications or services.</p><br />
<p>https://www.coursera.org/articles/popular-cybersecurity-certifications</p><br />
<h3 id="senior-level-incident-response-positions">Senior-Level Incident<br />
Response Positions</h3><br />
<ul><br />
<li><h5 id="intrusion-detection-specialist">Intrusion detection<br />
specialist:</h5></li><br />
</ul><br />
<p>A CISSP certification might help a potential candidate in preparing<br />
for the profession. The role of an intrusion detection specialist is to<br />
find and stop any unwanted communications.</p><br />
<ul><br />
<li><h5 id="incident-manager">Incident manager:</h5></li><br />
</ul><br />
<p>Expected to plan, oversee, manage, and supervise all incident<br />
response team actions. Is in charge of reporting all current events to<br />
senior management and stakeholders, as well as acting as the technical<br />
lead on active incidents for incident responders. Prepares threat and<br />
impact assessments and reports them known to management.</p><br />
<p>https://www.coursera.org/articles/popular-cybersecurity-certifications</p><br />
<br />
==Certificates== <br />
There is a vast number of different certificates and the road map to<br />
being a certified professional could be very different<ref name="Coursera">Coursera, "10 Popular Cybersecurity Certifications [2022 Updated]," [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications. [Accessed 30 Apr 2022].</ref><br />
<ref name="NICCS">NICCS, "Cybersecurity Certifications," [Online]. Available: hhttps://niccs.cisa.gov/about-niccs/cybersecurity-certifications. [Accessed 30 Apr 2022].</ref> . One possible<br />
approach is to start with basic certificates from the different branches<br />
of service and move to more specific and demanding focused<br />
certification. Also, some jobs require certain clearances, either from<br />
industry, or from the government. One small selection of different<br />
possible certificates is brought out in following paragraphs.<br />
<br />
Security+ is a CompTIA certification that is considered a basic cert<br />
among cybersecurity professionals. It covers the topics of risk<br />
management and threat assessment.<br />
Network+ is also offered by CompTIA this certification (like the name<br />
implies) focuses on networking infrastructure and operations. It is<br />
considered a foundational certification.<br />
The Certified Information Systems Security Professional (CISSP) is a<br />
more advanced certification designed for cybersecurity professionals<br />
with at least five years of work experience. The certification covers<br />
topics such as architecture, engineering, and management.</p><br />
The Certified Ethical Hacker (CEH) certification is also considered a<br />
more advanced cert because it generally requires that applicants have<br />
multiple years of work experience. The goal of an ethical hacker<br />
certification is to be able to understand how cyber attacks unfold in<br />
order to improve threat assessment and mitigation skills.<ref name="cyberguide">Cybersecurity Guide, "How to become a cybersecurity specialist", [Online]. Available: https://cybersecurityguide.org/careers/security-specialist/. [Accessed 27 April 2022].</ref><br />
This is definitely not all, when one looks for more information, following link could be searched, to get more in depth knowledge about<br />
different possibilities. Hereby, with the help of this matrix a possible taxonomy of different 436 listed certificates in branches are<br />
presented.<ref name="Pauljeremy">"Cybersecurity Roadmap," [Online]. Available: https://pauljerimy.com/2020/10/12/scr-oct-2020-update/. [Accessed 30 Apr 2022].</ref><br />
<br />
[[File:analystimage5.png|1000px|thumb|Certificate matrix <ref>"Certification roadmap". Available at https://pauljerimy.com/security-certification-roadmap</ref>]]<br />
<br />
=== Communication and Network Security===<br />
Communication and network security covers the ability to secure<br />
communication channels and networks. Topics include secure and converges<br />
protocols, wireless networks, cellular networks, hardware operations<br />
(warranty and redundant power), and third-party connectivity. IP<br />
networking are also included in this domain.<br />
===Identity and Access Management===<br />
The identity and access management domain covers the attacks that<br />
target the human gateway to gain access to data. Other topics include<br />
ways to identify users with rights to access the information and<br />
servers. Identity and access management covers the topics of<br />
applications, Single sign-on authentication, privilege escalation,<br />
Kerberos, rule-based or risk-based access control, proofing and<br />
establishment of identity.<br />
===Security Architecture and Engineering===<br />
The security architecture and engineering domain covers important<br />
topics concerning security engineering plans, designs and principles,<br />
Topics include assessing and mitigating information system<br />
vulnerabilities, fundamental concepts of security models and security<br />
architectures in critical areas like access control. Cloud systems,<br />
cryptography, system infiltrations (ransomware, fault-injection and<br />
more) and virtualized systems are also covered in this domain.<br />
===Asset Security===<br />
The Asset Security domain deals with the issues related to the<br />
collection, storage, maintenance, retention and destruction of data. It<br />
also covers knowledge of different roles regarding data handling (owner,<br />
controller and custodian) as well as data protection methods and data<br />
states. Other topics include resource provision, asset classification<br />
and data lifecycle management.<br />
===Security and Risk Management===<br />
The security and risk management domain covers general on skills<br />
related to the implementation of user awareness programs as well as<br />
security procedures. Emphasis is also placed on risk management<br />
concerning the acquisition of new services, hardware and software<br />
(supply chain). Other skills include social engineering defense<br />
mechanisms.<br />
===Security Assessment and Testing===<br />
The security assessment and testing domain deals with all the<br />
techniques and tools used to find system vulnerabilities, weaknesses and<br />
potential areas of concern not addressed by security procedures and<br />
policies. Attack simulations, vulnerability assessment, compliance<br />
checks, and ethical disclosure also fall under this domain.<br />
===Software Security===<br />
The software development security domain deals with implementing<br />
software-based security protocols within environment for which the IT<br />
professional is responsible. Risk analysis, vulnerability identification<br />
and auditing of source codes are all covered in this subset. Additional<br />
topics include software-designed security, maturity models, development<br />
methodologies, open-source and third-party development security.<br />
===Security operations===<br />
The security operations domain covers topics ranging from<br />
investigations and digital forensic to detection and intrusion<br />
prevention tools, sandboxing and firewalls. Topics include user and<br />
entity behavior analytics, threat intelligence (threat hunting and<br />
threat feeds) log management, artifacts (mobile, computer and network),<br />
machine learning and AI-based tools, penetration testing, and<br />
exploitation development. These for sub-domains are lister here.</p><br />
<li>Forensics</li><br />
<li>Incident Handling</li><br />
<li>Penetration Testing</li><br />
<li>Exploitation</li><br />
<br />
==Education==<br />
<p>The entry level monitoring specialist is hired by Estonian<br />
Information System Authority even if there is no formal IT education,<br />
but readiness to learn and moderate knowledge of different operation<br />
systems is enough to start the career.</p><br />
<p>https://www.cv.ee/en/vacancy/792782/riigi-infosusteemi-amet/seirespetsialist-tule-eesti-kuberruumi-valvuriks</p><br />
<p>Nevertheless, like most other high qualification careers jobs falling<br />
under the cybersecurity specialist category require some form of formal<br />
education. However, since cybersecurity specialist jobs can fall across<br />
a wide spectrum of job descriptions and responsibilities, it is possible<br />
to obtain a specialist job after completing many levels of different<br />
computer related education.</p><br />
<p>If one is looking for a cybersecurity related education, for example<br />
in EU, 137 courses/programs could be found that relate to keyword IT or<br />
cybersecurity.</p><br />
<p>https://www.enisa.europa.eu/topics/cybersecurity-education/education-map/education-courses</p><br />
<p>Also, there is a great amount of discussion, if cuber security<br />
professional should have a degree or would be certification just enough.<br />
One interesting table is produces by Franklin University that compares<br />
benefits and/or drawbacks of each type of credential.</p><br />
<figure><br />
<img src="images/image11.png" alt="Comparison MSc vs certificate" /><br />
<figcaption aria-hidden="true">Comparison MSc vs<br />
certificate</figcaption><br />
</figure><br />
<p>Certifications are generally good for people with little practical<br />
experience because they are known quantities in the industry and can<br />
help you get your foot in the door. They set a minimum knowledge bar.<br />
But some certifications are viewed more favorably than others.<br />
Certifications with renewal requirements are viewed better by hiring<br />
managers, but they also more costly in the long run because of the need<br />
for continuing education. Certifications are also good for showing<br />
in-depth expertise in a specialization within cybersecurity. Depending<br />
on your career goals, it may be advantageous to have a master’s<br />
degree—which shows your breadth of knowledge, critical thinking and<br />
leadership skills—and a certificate—which shows specific skill<br />
competency.</p><br />
<p>https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</p><br />
<p>As IT (Cyber) Security is still a relatively young discipline,<br />
universities and colleges are still figuring out which is the best<br />
approach for their degrees. Study programmes and curricula in Cyber<br />
Security are different. In general, here are the duration of Cyber<br />
Security degrees:</p><br />
<ul><br />
<li><p>Bachelor’s degrees in Cyber Security take 3 or 4 years in most<br />
countries.</p></li><br />
<li><p>Master’s courses in Cyber Security take between 1-2 years to<br />
complete.</p></li><br />
<li><p>PhD programmes in Cyber Security last 3-5 years. Some only take 1<br />
or 2 years, but they are less common.</p><br />
<p>https://www.mastersportal.com/articles/2722/why-you-should-study-a-cyber-security-degree-in-2022.html</p></li><br />
</ul><br />
<p>Generalization could me made that on bachelor level the general<br />
knowledge about the cyber issues are obtained. On master level the<br />
specialization courses are taken and the person can choose more specific<br />
topics to study. It is on master level where strengths of the cyber<br />
specialist can be developed further and up-do date knowledge obtained in<br />
specifics. PhD is serious science and involves teaching, lot of<br />
scientific work and writing for publications.</p><br />
==Salary==<br />
<p>Even if the salary can be very different, compared to the skills and<br />
experience, an generalization can be made. Cyber Security professionals<br />
in CSIRT, and in other entities earn quite well, from the start. First,<br />
some comparison from the United States. The average CSIRT analyst salary<br />
in the USA is $97,500 per year or $50 per hour. Entry level positions<br />
start at $48,875 per year while most experienced workers make up to<br />
$135,373 per year.</p><br />
<p>https://www.talent.com/salary?job=csirt+analyst</p><br />
<p>There are multiple positions you can occupy in this field. They have<br />
in common great salaries and high demand for technical skills, attention<br />
to details, problem-solving mentality, and the ability to analyze risks.<br />
Here are the average annual salaries in the United States, according to<br />
Payscale:</p><br />
<p>https://www.payscale.com/</p><br />
<ul><br />
<li><p>Cryptographer – 100,000 USD</p></li><br />
<li><p>Information Security Officer – 91,000 USD</p></li><br />
<li><p>Security Assessor – 90,000 USD</p></li><br />
<li><p>Security Engineer – 88,000 USD</p></li><br />
<li><p>Penetration Tester – 81,000 USD</p></li><br />
<li><p>Forensics Expert – 71,000 USD</p></li><br />
<li><p>Security Administrator – 65,000 USD</p><br />
<p>https://www.mastersportal.com/articles/2722/why-you-should-study-a-cyber-security-degree-in-2022.html</p><br />
<p>When looking into salaries in Estonia, one can find that there is a<br />
discussion that private sector is taking a toll from the public sector,<br />
and that the salaries in important agencies, as Information System<br />
Authority loose their employees to the better paid positions in private<br />
sector.</p><br />
<p>https://digi.geenius.ee/rubriik/uudis/kui-palju-riigi-jaoks-olulised-it-tootajad-tegelikult-palka-saavad/<br />
https://tehnika.postimees.ee/6887428/riigi-it-tootajate-palgamaarad-kasvasid</p><br />
<p>But there is also a different view that average private sector worker<br />
could be hired as a top specialist in public sector and then the payment<br />
is higher. Nevertheless, it seems that the average payment in cyber<br />
security sector is any way higher that in other parts of the<br />
e-services.</p><br />
<p>https://digi.geenius.ee/rubriik/uudis/5000-eurostest-palkadest-it-tootajad-saavadki-palju-palka/</p></li><br />
</ul><br />
==SOC==<br />
<p>A SOC is a facility where an organization’s network, applications,<br />
and endpoints are monitored and defended. The term was adapted from<br />
network operations centers (NOCs), where large telecommunication or<br />
corporate networks are monitored. When network security became more of a<br />
concern, security teams were formed within the NOCs, and eventually spun<br />
off into larger organizations of their own as the responsibilities of<br />
security teams grew increasingly complex and specialized. The security<br />
staff working in a security operations center are often called the SOC<br />
team.</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<p>Functions of the SOC team include, but are not limited to:</p><br />
<ol type="1"><br />
<li>Taking inventory of resources, to get a better understanding of the<br />
structure they are protecting.</li><br />
<li>Maintanence of the system, by constantly making updates and adding<br />
safeguards.</li><br />
<li>Monitoring the network for abnormalities with special tools.</li><br />
<li>Threat analysis of new attacks and vulnerabilities.</li><br />
<li>Responding to attacks, by acting as “first responders”. The SOC team<br />
will shut down and/or isolate endpoints, deleting files and lowering the<br />
impact as fast as possible.</li><br />
<li>Recovery of system stability and lost data. This may be done using<br />
backups, restarting endpoints or reconfiguring systems.</li><br />
<li>Logging all actions on the system, to be later used for analysis or<br />
forensics after an attack.</li><br />
<li>Investigating the root cause of an attack.</li><br />
<li>Auditing their own actions, to be in line with regulations of the<br />
organization, industry or governing body.</li><br />
</ol><br />
<p>https://www.trellix.com/en-us/security-awareness/operations/what-is-soc.html</p><br />
==CSIRT==<br />
<p>A CSIRT is a group that responds to security incidents when they<br />
occur. Key responsibilities of a CSIRT include: <br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<ul><br />
===Creating and maintaining an incident response plan (IRP)===<br />
An incident response plan (IRP) is a set of written instructions for<br />
detecting, responding to and limiting the effects of an information<br />
security event. Incident response plans provide instructions for<br />
responding to many potential scenarios, including data breaches, denial<br />
of service/distributed denial of service attacks, firewall breaches,<br />
virus or malware outbreaks or insider threats. Without an incident<br />
response plan in place, organizations may either not detect the attack<br />
in the first place, or not follow proper protocol to contain the threat<br />
and recover from it when a breach is detected.<br />
<p>https://www.stratacore.com/incidentresponseplan</p></li><br />
===Investigating and analyzing incidents===<br />
CSIRTs are also involved in improvement activities. After major<br />
computer security incidents occur, or when incidents are not handled in<br />
a timely or effective manner, a CSIRT will generally perform a<br />
postmortem of the incident and its response. This postmortem will<br />
identify the strengths and weakness of the response effort. Such reviews<br />
can identify weaknesses and holes in systems, infrastructure defenses,<br />
or policies that allowed the incident to take place. It can also<br />
identify problems with communication channels, interfaces, and<br />
procedures that inhibited the efficient resolution of the reported<br />
problem.<br />
<p>https://www.cisa.gov/uscert/bsi/articles/best-practices/incident-management/defining-computer-security-incident-response-teams</p><br />
<br />
===Managing internal communications and updates during or immediately after incidents occur===<br />
===Communicating with employees, shareholders, customers, and the press about incidents as needed===<br />
<p>There are various services within the CSIRT Services Framework that<br />
address communications, as they relate to security operations and<br />
incident response services. Some of these include Information Security<br />
Incident Coordination, Crisis Management Support, Vulnerability<br />
Disclosure, Situational Awareness Communication, and Awareness Building,<br />
to name a few. Sharing information and communicating with the general<br />
public and/or your constituency is appropriate in many different<br />
scenarios. These can range from proactive communications to reactive<br />
communications. Each scenario may be unique, and careful consideration<br />
should be given to when to release information to the public and what<br />
information should be released.</p><br />
<br />
<p>https://resources.sei.cmu.edu/asset_files/Handbook/2021_002_001_651819.pdf</p><br />
<br />
===Remediating incidents===<br />
Threat remediation is a strong and capable tool for fighting the<br />
cyber security compromises. As the word ‘remedy’ suggests, remediation<br />
process involves the treatment of a security breach. With the<br />
remediation practices, your cyber security team is able to eliminate<br />
suspicious activities and malicious attacks in the form of malware,<br />
ransomware, phishing and such. Even if you ‘kill’ the suspicious<br />
activity, the attackers can remain in your systems. If you want to<br />
contaminate and end the problem for good, your remediation processes<br />
must involve the detection of the cause. <ref name="logsign">Logsign, "What-is-remediation-in-cyber-security". Available: https://www.logsign.com/blog/what-is-remediation-in-cyber-security/. [Accessed 28 Apr 2022].</ref><br />
<br />
===Recommending technology, policy, governance, and training changes after security incidents===<br />
After all these actions, the SCIRT must contribute to the development<br />
of better policies, practices and has to recommend improvements. They<br />
are not working in the vacuum and their work has to create new and<br />
better standards for cyber security. <ref name="exabeam">Exabeam, "CSIRT". Available: https://www.exabeam.com/incident-response/csirt/ [Accessed 28 APr 2022].</ref><br />
<br />
==CERT==<br />
<p>The term “computer emergency response team” was coined in 1988. In<br />
response to the Morris worm attack that impacted thousands of servers on<br />
the Internet, DARPA funded the formation of the Computer Emergency<br />
Response Team Coordination Center (CERT-CC) at Carnegie Mellon<br />
University. The goal of CERT-CC was to help protect the internet by<br />
collecting and disseminating information on critical security<br />
vulnerabilities. Several other countries formed similar centers using<br />
the same acronym (despite threats of legal action by Carnegie Mellon for<br />
trademark infringement). Now the term CERT refers to any emergency<br />
response team that deals with cyber threats. Many people use CERT-CC<br />
interchangeably with CSIRT, though the charter of a CERT is information<br />
sharing in order to help other response teams respond to threats against<br />
their own infrastructure.</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<p>In general, the designation of CERT is helpful in applying real-world<br />
solutions to various cybersecurity problems. They may be government<br />
contractors or employees of a major corporation. For example, the U.S.<br />
Computer Emergency Readiness Team (US-CERT) operates under the U.S.<br />
Department of Homeland Security.</p><br />
<p>https://www.techopedia.com/definition/31003/computer-emergency-response-team-cert</p><br />
<p>In Estonia CERT is designated as CERT-EE. It was established in 2006,<br />
as an organization responsible for the management of security incidents<br />
in .ee computer networks. It is also a national contact point for<br />
international co-operation in the field of IT security.</p><br />
<p>https://www.ria.ee/en/cyber-security/cert-ee.html</p><br />
===Difference between SOC/CSIRT/CERT===<br />
<p>How CSIRTs differ from CERTs and SOCs There are overlapping<br />
responsibilities between a community emergency response team (CERT),<br />
computer security incident response team (CSIRT), and security<br />
operations center (SOC). To add to this confusion, frequently, the terms<br />
CERT and CSIRT are used interchangeably, despite the important<br />
differences.</p><br />
<figure><br />
<img src="images/image3.png" alt="Overlapping in images/image3.png" /><br />
<figcaption aria-hidden="true">Overlapping in<br />
images/image3.png</figcaption><br />
</figure><br />
==Understand the primary roles and characteristics of a CERT, CSIRT, and SOC.==<br />
<p>So, using strict definitions, a CERT collects and disseminates<br />
security information, typically for the benefit of a country or an<br />
industry. A CSIRT is a cross-functional team that responds to incidents<br />
on behalf of a country or an organization. A SOC is where a country or<br />
organization monitors and defends its network, servers, applications,<br />
and endpoints.</p><br />
<figure><br />
<img src="images/image4.png" alt="table of explanation images/image4" /><br />
<figcaption aria-hidden="true">table of explanation<br />
images/image4</figcaption><br />
</figure><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
==Future==<br />
<p>And the Cyber security problem is only getting bigger. According to a<br />
report published by Accenture, the number of cyber security breaches<br />
increased by 11 percent from 2017 to 2018. The cost of such breaches is<br />
astronomical–about $600 billion worldwide, according to the Economic<br />
Impact of Cybercrime report.</p><br />
<p>https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me</p><br />
<p>Job projections for cybersecurity are staggering. The Bureau of Labor<br />
Statistics in US predicts that careers in the cybersecurity field will<br />
grow by 32% by 2028. That makes cybersecurity one of the top 10<br />
fastest-growing jobs in the country. In the United States alone, jobs<br />
for Information Security Analysts are expected to grow by 15% by<br />
2024.</p><br />
<p>https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</p><br />
<p>Most likely this trend is also similar in other countries.</p><br />
<p>When checking Estonian job portals, there is a constant need for<br />
people for cyber security related positions. Also, linkedin search gives<br />
approximately 30 vacancies immediately. There are banks, logistics<br />
companies, e-shops, and software producers.</p><br />
<p>https://ee.linkedin.com/jobs/cyber-security-jobs?countryRedirected=1&amp;position=1&amp;pageNum=0</p><br />
<p>Trends that affect companies create need for constant cyber security<br />
services. Increasing number of home/remote offices require secure<br />
corporate networks and security of remote devices. One example is from<br />
this year, when sloppy remote desktop set-up paralyzed systems of 17<br />
companies.</p><br />
<p>https://www.aripaev.ee/uudised/2022/04/20/ria-lohakas-kaugtoolaua-seadistus-halvas-martsis-vahemalt-17-juhul-ettevotete-it-susteemid</p><br />
<p>Also, no service can exists without robust infrastructure - servers,<br />
databases, applications. As all previously mentioned devices and<br />
services are at constant scanning and surveillance. So, the breach<br />
detection and immediate action demands 24/7 services. Even if lot of<br />
things could be automated, there is a need for human specialists (at<br />
least, at the moment). Third growing field is also a forensic<br />
investigation, as every attack must be investigated in order to be ready<br />
to repel next attacks. So data recovery and evidence collection is<br />
another important field of work that need skilled and professional<br />
workers.</p><br />
<p>Even, if the specifics of the entity, be it CSIRT, CERT or SOC, are<br />
different, the fundamentals of the work are the same. Professional<br />
knowledge of the networks, operational systems, hardware, scripting, and<br />
several other wider IT related knowledge is needed. As there is no<br />
single way to reach to it, every single person can find one’s strongest<br />
sides and develop them with knowledge of weaker side, in order to know,<br />
when to as for help.</p><br />
<br />
</body><br />
</html></div>Mavaldhttps://wiki.itcollege.ee/index.php?title=Hiring_a_Cyber_Security_Incident_Analyst&diff=142187Hiring a Cyber Security Incident Analyst2022-05-01T14:53:25Z<p>Mavald: /* CSIRT */</p>
<hr />
<div>==A Cyber Security Incident Analyst==<br />
<br />
[[File:image1.png|600px|thumb|Job advertisement <ref>"Job Advertisement". Available at https://www.projectpeople.com/jobs/</ref>]]<br />
===Cyber security incident analyst in SOC/CSIRT/CERT===<br />
This article delves into the job title of Cyber Security Incident<br />
Analyst and provides an overview of the acronyms SOC/CSIRT/CERT. A brief<br />
history of the job is discussed here, as well as a possible career path,<br />
education, experience, and other characteristics required for work in<br />
computer security-related organizations. The article also provides a<br />
brief history of SOC/CSIRT/CERT, as well as a comparison of their<br />
differences and similarities.<br />
===Cyber Security Incident Analyst Skill Set===<br />
What skill set is expected from the Cyber Security Incident Analyst? Below written lines are taken from the same job advertisement depicted<br />
on the left side of this article:<br />
As a Security Incident Analyst your responsibilities will include:<br />
<ul><br />
<li>Continuous monitoring of security tooling</li><br />
<li>Performing regular and ad-hoc vulnerability assessments</li><br />
<li>Carrying out ‘spot checks’</li><br />
<li>Reporting vulnerabilities to the PVG via the alerts system</li><br />
<li>Maintaining and documenting logging systems</li><br />
<li>Developing centralized logging, reporting and intelligence<br />
platforms</li><br />
<li>‘Light touch’ penetration testing with open source tooling<br />
(Metasploit)</li><br />
</ul><br />
Knowledge &amp; Experience required:<br />
<ul><br />
<li>SOC, CSIRT or CERT operational environment experience</li><br />
<li>Windows / Linux experience</li><br />
<li>TCP /IP networking protocol knowledge</li><br />
<li>Experience reviewing and analyzing Security Events from various<br />
monitoring and logging sources</li><br />
<li>Experience in website and web application security assessment or<br />
penetration testing</li><br />
<li>Experience of using Metasploit</li><br />
<li>Scripting knowledge using BASH, Python, Perl, Ruby</li><br />
<li>Skills in Host and Network Forensics</li><br />
</ul><br />
As one can see the description of the duties is wide and also the<br />
knowledge and experience that is required is noteworthy. So, where to<br />
start to find out the way to get this kind of knowledge and<br />
expertize.<br />
===Possible career path===<br />
Next part of the paper is aiming to depict a possible ways, how to<br />
develop oneself, and move along the career pathway in cybersecurity<br />
field. Topics of development, education, experience and certification<br />
are covered.<br />
[[File:analystimage2.png|1000px|thumb|Career path <ref>"Possible Career Path". Available at https://www.cyberseek.org/pathway.html</ref>]]<br />
<br />
===Junior/Senior===<br />
Start with an entry-level job in IT. Hands-on experience is often the<br />
most effective way to prepare for certification exams. Start<br />
accumulating work experience with an entry-level role as a cybersecurity<br />
analyst. Many cybersecurity professionals start off in more general IT<br />
roles. The skills, practices, and technologies you’ll use as a<br />
cybersecurity professional will continue to evolve along with computer<br />
and network technology. The desire to learn, ability to problem solve,<br />
and attention to detail will serve you well in this field. Other, more<br />
technical skills and technologies to learn include:<ref name="certification">Popular Cyber Security Certificates [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications [Accessed 25 April 2022].</ref><br />
<br />
====SIEM tools (security information and event management)====<br />
Security Information and Event Management (SIEM) is a set of tools<br />
and services offering a holistic view of an organization’s information<br />
security. SIEM works by combining two technologies:<br />
<li>Security information management (SIM), which collects data from log<br />
files for analysis and reports on security threats and events, and</li><br />
<li>security event management (SEM), which conducts real-time system<br />
monitoring, notifies network admins about important issues and<br />
establishes correlations between security events. There are a number of<br />
security information and event management solutions on the market.<br />
ArcSight ESM, IBM QRadar and Splunk are among the most popular. <ref name="SIEM">Application security, SIEM [Online]. Available: https://www.imperva.com/learn/application-security/siem/. [Accessed 27 4 2022].</ref></li><br />
<br />
====Firewalls, Intrusion Detection Systems (IDS), and Intrusion Prevention Systems(IPS)====<br />
Firewalls can be two types, hardware and software firewalls. Software<br />
firewall is a firewall that is installed on a computer or server, and<br />
tasked with network security. It works with a wide variety of other<br />
technology security solutions to provide more robust and cohesive<br />
security for enterprises of all sizes. When a software firewall is<br />
installed on a server, it opens up like an umbrella of protection over<br />
all other computers connected to the network. It is able to monitor both<br />
incoming and outgoing traffic for potential risk or suspicious user<br />
behavior, and also makes setting security policies much easier, faster<br />
and more flexible. Hardware firewall is positioned between the network<br />
and devices, allowing traffic to funnel through the firewall for a close<br />
inspection and analysis. A hardware firewall, a term often<br />
interchangeable with network or next-generation firewall, protects the<br />
network gateways for an enterprise. Hardware firewall is physical<br />
hardware, installed between network elements and connected devices, and<br />
is tasked with filtering traffic for cyber threat to the network or<br />
devices. Filtering out unauthorized or suspicious users based on traffic<br />
analysis is one of the biggest benefits of hardware firewall. <ref name="sangfor">Sangfor, "What is Software Firewall? Difference between Hardware Firewall and Software Firewall, [Online]. Available: https://www.sangfor.com/blog/cybersecurity/what-is-software-firewall-difference-between-hardware-firewall-and-software-firewall [Accessed 26 4 2022].</ref><br />
<br />
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems<br />
(IPS) are both parts of the network infrastructure. IDS/IPS compare<br />
network packets to a cyberthreat database containing known signatures of<br />
cyberattacks — and flag any matching packets. IDS doesn’t alter the<br />
network packets in any way, whereas IPS prevents the packet from<br />
delivery based on the contents of the packet, much like how a firewall<br />
prevents traffic by IP address. <ref name="Varonis">Varonis, "What is Software Firewall? IDS vs. IPS: What is the Difference?, [Online]. Available: https://www.varonis.com/blog/ids-vs-ips [Accessed 26 4 2022].</ref><br />
<br />
====Digital forensics====<br />
Digital forensics is a branch of forensic science that focuses on<br />
identifying, acquiring, processing, analyzing, and reporting on data<br />
stored electronically. Electronic evidence is a component of almost all<br />
criminal activities and digital forensics support is crucial for law<br />
enforcement investigations. Electronic evidence can be collected from a<br />
wide array of sources, such as computers, smartphones, remote storage,<br />
unmanned aerial systems, shipborne equipment, and more.<ref name="interpol">Interpol, "Digital forensics". Available: https://www.interpol.int/How-we-work/Innovation/Digital-forensics. [Accessed 28 4 2022].</ref> <br />
Investigative process of digital forensics can be divided into several stages. There are four major stages: preservation, collection,<br />
examination, and analysis. All these four stages need a deep understanding of computers, technology across a broad spectrum, and cybersecurity principles and<br />
practices, a working knowledge of computers, networks, and coding, in-depth investigative abilities, critical-thinking skills and analytical talent the ability to effectively communicate and work with a<br />
wide range of people. <ref name="ecpi">"Digital forensics". Available: https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me. [Accessed 26 4 2022].</ref><br />
<br />
====Mobile device management====<br />
Mobile device management (MDM) is software that allows IT<br />
administrators to control, secure and enforce policies on smartphones,<br />
tablets and other endpoints. Mobile device management software emerged<br />
in the early 2000s as a way to control and secure the personal digital<br />
assistants and smartphones that business workers began to use. The<br />
consumer smartphone boom that started with the launch of the Apple<br />
iPhone in 2007 led to the bring your own device (BYOD) trend, which<br />
fueled further interest in MDM.<ref name="techtarget">Techtarget, "Mobile Device Management". Available: https://www.techtarget.com/searchmobilecomputing/definition/mobile-device-management [Accessed 27 4 2022].</ref><br />
<br />
====Data management====<br />
Sometimes the data management is neglected, but this part has a<br />
crucial role when learning for good cyber security practices. Majority<br />
of cyber security programs include a special courses on data management.<br />
Data management is a method of organizing and maintaining data processes<br />
that are required in almost every business operations. The benefits of<br />
data management can be found accounting, statistics, logistics planning<br />
and other disciplines including corporate computing.<ref name="GlobalUni">Global Universities, "MSc Data Management and Cyber Security". Available: https://globaluniversities.in/msc-data-management-cyber-security. [Accessed 26 Apr 2022].</ref><br />
Data governance (and management) play a fundamental role in<br />
protecting an organization’s data. Ensuring that the right people have<br />
the right access and that appropriate security controls are in place to<br />
protect each system or service, based on the criticality or sensitivity<br />
of the data sets these contain. <ref name="CyberMagazine">Cyber Security Magazine, "The Role of Data Governance in Cybersecurity". Available: https://cybersecurity-magazine.com/the-role-of-data-governance-in-cybersecurity/?utm_source=rss&amp;utm_medium=rss&amp;utm_campaign=the-role-of-data-governance-in-cybersecurity. [Accessed 26 Apr 2022].</ref><br />
<br />
====Application security development====<br />
Application security describes security measures at the application<br />
level that aim to prevent data or code within the app from being stolen<br />
or hijacked. It encompasses the security considerations that happen<br />
during application development and design, but it also involves systems<br />
and approaches to protect apps after they get deployed. Application<br />
security may include hardware, software, and procedures that identify or<br />
minimize security vulnerabilities.<br />
https://www.vmware.com/topics/glossary/content/application-security.html<br />
Application security development is important to ensure that your<br />
application is free from coding errors and bugs. And controls the risk<br />
and helps safeguard against security vulnerabilities. Application<br />
security development is the process of making applications more secure<br />
by finding and fixing security vulnerabilities. This is often done by<br />
enforcing software security best practices and using application<br />
security testing tools.<br />
<p>https://www.perforce.com/blog/kw/application-security-development-best-practices</p><br />
<br />
====Audit and compliance knowledge====<br />
A cyber security audit is designed to be a comprehensive review and<br />
analysis of your business’s IT infrastructure. It identifies threats and<br />
vulnerabilities, exposing weaknesses and high-risk practices.<br />
Regulations such as the EU GDPR (General Data Protection Regulation) can<br />
impose hefty penalties in the event of a breach that results in<br />
exploited data. A cyber security audit will help mitigate the<br />
consequences of a breach and demonstrate that your organization has<br />
taken the necessary steps to protect client and company data.</p><br />
<p>https://cyforsecure.co.uk/services/cyber-assessment/cyber-security-audit/</p><br />
<p>Cybersecurity compliance is the organizational risk management method<br />
aligned with pre-defined security measures &amp; controls on how data<br />
confidentiality is ensured by its administrational procedures.</p><br />
<p>https://nordlayer.com/blog/cybersecurity-compliance-everything-you-need-to-know/</p><br />
<p>All needed skills are developed through courses and<br />
certification.</p></li><br />
</ul><br />
===Entry-Level Incident Response Positions===<br />
<p>It is not always possible to advance to the position of incident<br />
responder in a straight line. Many professionals advance from entry- to<br />
mid-level positions before becoming a real incident responder or a<br />
member of a computer emergency response team (CERT).<br /><br />
These are some examples:</p><br />
<ul><br />
<li><h5 id="network-administrator">Network administrator</h5><br />
<p>This position’s experience will help potential incident responders<br />
develop networking skills. Attention to detail, as well as the ability<br />
to sift through system configurations, site layouts, and general network<br />
and communication setups, are essential in this field.</p></li><br />
<li><h5 id="system-administrator">System administrator</h5><br />
<p>Another crucial beginning point for an incident responder is to learn<br />
how to manage resources inside your organization as well as user<br />
behavior. Understanding the potential damage that users, inadequate<br />
security setups, and ineffective IT policies and procedures can cause on<br />
your network can provide prospective candidates with insight into the<br />
human component of an incident.</p></li><br />
<li><h5 id="security-administrator">Security administrator</h5><br />
<p>In such a position, basic hacking skills, penetration testing, and<br />
intrusion detection are all learned, which are crucial incident<br />
responder skills when trying to replicate a breach or attack.<br />
Understanding the paths a cybercriminal will take when attempting to<br />
damage or obtain access to a system can greatly simplify the work of<br />
reverse engineering the incident.</p></li><br />
</ul><br />
<p>https://resources.infosecinstitute.com/topic/incident-responder-career-roadmap-entry-level-executive/</p><br />
<h3 id="mid-level-incident-response-positions">Mid-Level Incident<br />
Response Positions</h3><br />
<ul><br />
<li><h5<br />
id="computer-security-incident-response-team-csirt-engineer">Computer<br />
security incident response team (CSIRT) engineer</h5></li><br />
<li><h5 id="cyber-incident-responder">Cyber incident responder</h5></li><br />
<li><h5 id="incident-response-engineer">Incident response<br />
engineer</h5></li><br />
</ul><br />
<p>While each of these positions is different, they generally require<br />
very similar skills and characteristics in a candidate. At this level,<br />
personal characteristics such as problem solving, time management, and<br />
even presentation skills become more crucial as one’s career evolves<br />
into a management-facing role.</p><br />
<p>Technical skills include the ability to identify and minimize threats<br />
while maintaining communication with management and the rest of your<br />
team. Data analysis and evidence gathering become increasingly crucial,<br />
and the circumstances in which your services are deployed get more<br />
serious.</p><br />
<p>Problem-solving skills are crucial at this level of incident<br />
response, and as the stakes rise, so does the pressure in each<br />
situation. At this level, programming abilities are essential since<br />
incident responders may be needed to reverse engineer malicious code or<br />
even create patches for vulnerable network applications or services.</p><br />
<p>https://www.coursera.org/articles/popular-cybersecurity-certifications</p><br />
<h3 id="senior-level-incident-response-positions">Senior-Level Incident<br />
Response Positions</h3><br />
<ul><br />
<li><h5 id="intrusion-detection-specialist">Intrusion detection<br />
specialist:</h5></li><br />
</ul><br />
<p>A CISSP certification might help a potential candidate in preparing<br />
for the profession. The role of an intrusion detection specialist is to<br />
find and stop any unwanted communications.</p><br />
<ul><br />
<li><h5 id="incident-manager">Incident manager:</h5></li><br />
</ul><br />
<p>Expected to plan, oversee, manage, and supervise all incident<br />
response team actions. Is in charge of reporting all current events to<br />
senior management and stakeholders, as well as acting as the technical<br />
lead on active incidents for incident responders. Prepares threat and<br />
impact assessments and reports them known to management.</p><br />
<p>https://www.coursera.org/articles/popular-cybersecurity-certifications</p><br />
<br />
==Certificates== <br />
There is a vast number of different certificates and the road map to<br />
being a certified professional could be very different<ref name="Coursera">Coursera, "10 Popular Cybersecurity Certifications [2022 Updated]," [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications. [Accessed 30 Apr 2022].</ref><br />
<ref name="NICCS">NICCS, "Cybersecurity Certifications," [Online]. Available: hhttps://niccs.cisa.gov/about-niccs/cybersecurity-certifications. [Accessed 30 Apr 2022].</ref> . One possible<br />
approach is to start with basic certificates from the different branches<br />
of service and move to more specific and demanding focused<br />
certification. Also, some jobs require certain clearances, either from<br />
industry, or from the government. One small selection of different<br />
possible certificates is brought out in following paragraphs.<br />
<br />
Security+ is a CompTIA certification that is considered a basic cert<br />
among cybersecurity professionals. It covers the topics of risk<br />
management and threat assessment.<br />
Network+ is also offered by CompTIA this certification (like the name<br />
implies) focuses on networking infrastructure and operations. It is<br />
considered a foundational certification.<br />
The Certified Information Systems Security Professional (CISSP) is a<br />
more advanced certification designed for cybersecurity professionals<br />
with at least five years of work experience. The certification covers<br />
topics such as architecture, engineering, and management.</p><br />
The Certified Ethical Hacker (CEH) certification is also considered a<br />
more advanced cert because it generally requires that applicants have<br />
multiple years of work experience. The goal of an ethical hacker<br />
certification is to be able to understand how cyber attacks unfold in<br />
order to improve threat assessment and mitigation skills.<ref name="cyberguide">Cybersecurity Guide, "How to become a cybersecurity specialist", [Online]. Available: https://cybersecurityguide.org/careers/security-specialist/. [Accessed 27 April 2022].</ref><br />
This is definitely not all, when one looks for more information, following link could be searched, to get more in depth knowledge about<br />
different possibilities. Hereby, with the help of this matrix a possible taxonomy of different 436 listed certificates in branches are<br />
presented.<ref name="Pauljeremy">"Cybersecurity Roadmap," [Online]. Available: https://pauljerimy.com/2020/10/12/scr-oct-2020-update/. [Accessed 30 Apr 2022].</ref><br />
<br />
[[File:analystimage5.png|1000px|thumb|Certificate matrix <ref>"Certification roadmap". Available at https://pauljerimy.com/security-certification-roadmap</ref>]]<br />
<br />
=== Communication and Network Security===<br />
Communication and network security covers the ability to secure<br />
communication channels and networks. Topics include secure and converges<br />
protocols, wireless networks, cellular networks, hardware operations<br />
(warranty and redundant power), and third-party connectivity. IP<br />
networking are also included in this domain.<br />
===Identity and Access Management===<br />
The identity and access management domain covers the attacks that<br />
target the human gateway to gain access to data. Other topics include<br />
ways to identify users with rights to access the information and<br />
servers. Identity and access management covers the topics of<br />
applications, Single sign-on authentication, privilege escalation,<br />
Kerberos, rule-based or risk-based access control, proofing and<br />
establishment of identity.<br />
===Security Architecture and Engineering===<br />
The security architecture and engineering domain covers important<br />
topics concerning security engineering plans, designs and principles,<br />
Topics include assessing and mitigating information system<br />
vulnerabilities, fundamental concepts of security models and security<br />
architectures in critical areas like access control. Cloud systems,<br />
cryptography, system infiltrations (ransomware, fault-injection and<br />
more) and virtualized systems are also covered in this domain.<br />
===Asset Security===<br />
The Asset Security domain deals with the issues related to the<br />
collection, storage, maintenance, retention and destruction of data. It<br />
also covers knowledge of different roles regarding data handling (owner,<br />
controller and custodian) as well as data protection methods and data<br />
states. Other topics include resource provision, asset classification<br />
and data lifecycle management.<br />
===Security and Risk Management===<br />
The security and risk management domain covers general on skills<br />
related to the implementation of user awareness programs as well as<br />
security procedures. Emphasis is also placed on risk management<br />
concerning the acquisition of new services, hardware and software<br />
(supply chain). Other skills include social engineering defense<br />
mechanisms.<br />
===Security Assessment and Testing===<br />
The security assessment and testing domain deals with all the<br />
techniques and tools used to find system vulnerabilities, weaknesses and<br />
potential areas of concern not addressed by security procedures and<br />
policies. Attack simulations, vulnerability assessment, compliance<br />
checks, and ethical disclosure also fall under this domain.<br />
===Software Security===<br />
The software development security domain deals with implementing<br />
software-based security protocols within environment for which the IT<br />
professional is responsible. Risk analysis, vulnerability identification<br />
and auditing of source codes are all covered in this subset. Additional<br />
topics include software-designed security, maturity models, development<br />
methodologies, open-source and third-party development security.<br />
===Security operations===<br />
The security operations domain covers topics ranging from<br />
investigations and digital forensic to detection and intrusion<br />
prevention tools, sandboxing and firewalls. Topics include user and<br />
entity behavior analytics, threat intelligence (threat hunting and<br />
threat feeds) log management, artifacts (mobile, computer and network),<br />
machine learning and AI-based tools, penetration testing, and<br />
exploitation development. These for sub-domains are lister here.</p><br />
<li>Forensics</li><br />
<li>Incident Handling</li><br />
<li>Penetration Testing</li><br />
<li>Exploitation</li><br />
<br />
==Education==<br />
<p>The entry level monitoring specialist is hired by Estonian<br />
Information System Authority even if there is no formal IT education,<br />
but readiness to learn and moderate knowledge of different operation<br />
systems is enough to start the career.</p><br />
<p>https://www.cv.ee/en/vacancy/792782/riigi-infosusteemi-amet/seirespetsialist-tule-eesti-kuberruumi-valvuriks</p><br />
<p>Nevertheless, like most other high qualification careers jobs falling<br />
under the cybersecurity specialist category require some form of formal<br />
education. However, since cybersecurity specialist jobs can fall across<br />
a wide spectrum of job descriptions and responsibilities, it is possible<br />
to obtain a specialist job after completing many levels of different<br />
computer related education.</p><br />
<p>If one is looking for a cybersecurity related education, for example<br />
in EU, 137 courses/programs could be found that relate to keyword IT or<br />
cybersecurity.</p><br />
<p>https://www.enisa.europa.eu/topics/cybersecurity-education/education-map/education-courses</p><br />
<p>Also, there is a great amount of discussion, if cuber security<br />
professional should have a degree or would be certification just enough.<br />
One interesting table is produces by Franklin University that compares<br />
benefits and/or drawbacks of each type of credential.</p><br />
<figure><br />
<img src="images/image11.png" alt="Comparison MSc vs certificate" /><br />
<figcaption aria-hidden="true">Comparison MSc vs<br />
certificate</figcaption><br />
</figure><br />
<p>Certifications are generally good for people with little practical<br />
experience because they are known quantities in the industry and can<br />
help you get your foot in the door. They set a minimum knowledge bar.<br />
But some certifications are viewed more favorably than others.<br />
Certifications with renewal requirements are viewed better by hiring<br />
managers, but they also more costly in the long run because of the need<br />
for continuing education. Certifications are also good for showing<br />
in-depth expertise in a specialization within cybersecurity. Depending<br />
on your career goals, it may be advantageous to have a master’s<br />
degree—which shows your breadth of knowledge, critical thinking and<br />
leadership skills—and a certificate—which shows specific skill<br />
competency.</p><br />
<p>https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</p><br />
<p>As IT (Cyber) Security is still a relatively young discipline,<br />
universities and colleges are still figuring out which is the best<br />
approach for their degrees. Study programmes and curricula in Cyber<br />
Security are different. In general, here are the duration of Cyber<br />
Security degrees:</p><br />
<ul><br />
<li><p>Bachelor’s degrees in Cyber Security take 3 or 4 years in most<br />
countries.</p></li><br />
<li><p>Master’s courses in Cyber Security take between 1-2 years to<br />
complete.</p></li><br />
<li><p>PhD programmes in Cyber Security last 3-5 years. Some only take 1<br />
or 2 years, but they are less common.</p><br />
<p>https://www.mastersportal.com/articles/2722/why-you-should-study-a-cyber-security-degree-in-2022.html</p></li><br />
</ul><br />
<p>Generalization could me made that on bachelor level the general<br />
knowledge about the cyber issues are obtained. On master level the<br />
specialization courses are taken and the person can choose more specific<br />
topics to study. It is on master level where strengths of the cyber<br />
specialist can be developed further and up-do date knowledge obtained in<br />
specifics. PhD is serious science and involves teaching, lot of<br />
scientific work and writing for publications.</p><br />
==Salary==<br />
<p>Even if the salary can be very different, compared to the skills and<br />
experience, an generalization can be made. Cyber Security professionals<br />
in CSIRT, and in other entities earn quite well, from the start. First,<br />
some comparison from the United States. The average CSIRT analyst salary<br />
in the USA is $97,500 per year or $50 per hour. Entry level positions<br />
start at $48,875 per year while most experienced workers make up to<br />
$135,373 per year.</p><br />
<p>https://www.talent.com/salary?job=csirt+analyst</p><br />
<p>There are multiple positions you can occupy in this field. They have<br />
in common great salaries and high demand for technical skills, attention<br />
to details, problem-solving mentality, and the ability to analyze risks.<br />
Here are the average annual salaries in the United States, according to<br />
Payscale:</p><br />
<p>https://www.payscale.com/</p><br />
<ul><br />
<li><p>Cryptographer – 100,000 USD</p></li><br />
<li><p>Information Security Officer – 91,000 USD</p></li><br />
<li><p>Security Assessor – 90,000 USD</p></li><br />
<li><p>Security Engineer – 88,000 USD</p></li><br />
<li><p>Penetration Tester – 81,000 USD</p></li><br />
<li><p>Forensics Expert – 71,000 USD</p></li><br />
<li><p>Security Administrator – 65,000 USD</p><br />
<p>https://www.mastersportal.com/articles/2722/why-you-should-study-a-cyber-security-degree-in-2022.html</p><br />
<p>When looking into salaries in Estonia, one can find that there is a<br />
discussion that private sector is taking a toll from the public sector,<br />
and that the salaries in important agencies, as Information System<br />
Authority loose their employees to the better paid positions in private<br />
sector.</p><br />
<p>https://digi.geenius.ee/rubriik/uudis/kui-palju-riigi-jaoks-olulised-it-tootajad-tegelikult-palka-saavad/<br />
https://tehnika.postimees.ee/6887428/riigi-it-tootajate-palgamaarad-kasvasid</p><br />
<p>But there is also a different view that average private sector worker<br />
could be hired as a top specialist in public sector and then the payment<br />
is higher. Nevertheless, it seems that the average payment in cyber<br />
security sector is any way higher that in other parts of the<br />
e-services.</p><br />
<p>https://digi.geenius.ee/rubriik/uudis/5000-eurostest-palkadest-it-tootajad-saavadki-palju-palka/</p></li><br />
</ul><br />
==SOC==<br />
<p>A SOC is a facility where an organization’s network, applications,<br />
and endpoints are monitored and defended. The term was adapted from<br />
network operations centers (NOCs), where large telecommunication or<br />
corporate networks are monitored. When network security became more of a<br />
concern, security teams were formed within the NOCs, and eventually spun<br />
off into larger organizations of their own as the responsibilities of<br />
security teams grew increasingly complex and specialized. The security<br />
staff working in a security operations center are often called the SOC<br />
team.</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<p>Functions of the SOC team include, but are not limited to:</p><br />
<ol type="1"><br />
<li>Taking inventory of resources, to get a better understanding of the<br />
structure they are protecting.</li><br />
<li>Maintanence of the system, by constantly making updates and adding<br />
safeguards.</li><br />
<li>Monitoring the network for abnormalities with special tools.</li><br />
<li>Threat analysis of new attacks and vulnerabilities.</li><br />
<li>Responding to attacks, by acting as “first responders”. The SOC team<br />
will shut down and/or isolate endpoints, deleting files and lowering the<br />
impact as fast as possible.</li><br />
<li>Recovery of system stability and lost data. This may be done using<br />
backups, restarting endpoints or reconfiguring systems.</li><br />
<li>Logging all actions on the system, to be later used for analysis or<br />
forensics after an attack.</li><br />
<li>Investigating the root cause of an attack.</li><br />
<li>Auditing their own actions, to be in line with regulations of the<br />
organization, industry or governing body.</li><br />
</ol><br />
<p>https://www.trellix.com/en-us/security-awareness/operations/what-is-soc.html</p><br />
==CSIRT==<br />
<p>A CSIRT is a group that responds to security incidents when they<br />
occur. Key responsibilities of a CSIRT include: <br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<ul><br />
===Creating and maintaining an incident response plan (IRP)===<br />
An incident response plan (IRP) is a set of written instructions for<br />
detecting, responding to and limiting the effects of an information<br />
security event. Incident response plans provide instructions for<br />
responding to many potential scenarios, including data breaches, denial<br />
of service/distributed denial of service attacks, firewall breaches,<br />
virus or malware outbreaks or insider threats. Without an incident<br />
response plan in place, organizations may either not detect the attack<br />
in the first place, or not follow proper protocol to contain the threat<br />
and recover from it when a breach is detected.<br />
<p>https://www.stratacore.com/incidentresponseplan</p></li><br />
===Investigating and analyzing incidents===<br />
CSIRTs are also involved in improvement activities. After major<br />
computer security incidents occur, or when incidents are not handled in<br />
a timely or effective manner, a CSIRT will generally perform a<br />
postmortem of the incident and its response. This postmortem will<br />
identify the strengths and weakness of the response effort. Such reviews<br />
can identify weaknesses and holes in systems, infrastructure defenses,<br />
or policies that allowed the incident to take place. It can also<br />
identify problems with communication channels, interfaces, and<br />
procedures that inhibited the efficient resolution of the reported<br />
problem.<br />
<p>https://www.cisa.gov/uscert/bsi/articles/best-practices/incident-management/defining-computer-security-incident-response-teams</p><br />
<br />
===Managing internal communications and updates during or immediately after incidents occur===<br />
===Communicating with employees, shareholders, customers, and the press about incidents as needed===<br />
<p>There are various services within the CSIRT Services Framework that<br />
address communications, as they relate to security operations and<br />
incident response services. Some of these include Information Security<br />
Incident Coordination, Crisis Management Support, Vulnerability<br />
Disclosure, Situational Awareness Communication, and Awareness Building,<br />
to name a few. Sharing information and communicating with the general<br />
public and/or your constituency is appropriate in many different<br />
scenarios. These can range from proactive communications to reactive<br />
communications. Each scenario may be unique, and careful consideration<br />
should be given to when to release information to the public and what<br />
information should be released.</p><br />
<br />
<p>https://resources.sei.cmu.edu/asset_files/Handbook/2021_002_001_651819.pdf</p><br />
<br />
===Remediating incidents===<br />
Threat remediation is a strong and capable tool for fighting the<br />
cyber security compromises. As the word ‘remedy’ suggests, remediation<br />
process involves the treatment of a security breach. With the<br />
remediation practices, your cyber security team is able to eliminate<br />
suspicious activities and malicious attacks in the form of malware,<br />
ransomware, phishing and such. Even if you ‘kill’ the suspicious<br />
activity, the attackers can remain in your systems. If you want to<br />
contaminate and end the problem for good, your remediation processes<br />
must involve the detection of the cause. <ref name="logsign">Logsign, "What-is-remediation-in-cyber-security". Available: https://www.logsign.com/blog/what-is-remediation-in-cyber-security/. [Accessed 28 Apr 2022].</ref><br />
<br />
===Recommending technology, policy, governance, and training changes after security incidents===<br />
After all these actions, the SCIRT must contribute to the development<br />
of better policies, practices and has to recommend improvements. They<br />
are not working in the vacuum and their work has to create new and<br />
better standards for cyber security. <ref name="exabeam">Exabeam, "CSIRT". Available: https://www.exabeam.com/incident-response/csirt/ [Accessed 28 APr 2022].</ref><br />
<br />
==CERT==<br />
<p>The term “computer emergency response team” was coined in 1988. In<br />
response to the Morris worm attack that impacted thousands of servers on<br />
the Internet, DARPA funded the formation of the Computer Emergency<br />
Response Team Coordination Center (CERT-CC) at Carnegie Mellon<br />
University. The goal of CERT-CC was to help protect the internet by<br />
collecting and disseminating information on critical security<br />
vulnerabilities. Several other countries formed similar centers using<br />
the same acronym (despite threats of legal action by Carnegie Mellon for<br />
trademark infringement). Now the term CERT refers to any emergency<br />
response team that deals with cyber threats. Many people use CERT-CC<br />
interchangeably with CSIRT, though the charter of a CERT is information<br />
sharing in order to help other response teams respond to threats against<br />
their own infrastructure.</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<p>In general, the designation of CERT is helpful in applying real-world<br />
solutions to various cybersecurity problems. They may be government<br />
contractors or employees of a major corporation. For example, the U.S.<br />
Computer Emergency Readiness Team (US-CERT) operates under the U.S.<br />
Department of Homeland Security.</p><br />
<p>https://www.techopedia.com/definition/31003/computer-emergency-response-team-cert</p><br />
<p>In Estonia CERT is designated as CERT-EE. It was established in 2006,<br />
as an organization responsible for the management of security incidents<br />
in .ee computer networks. It is also a national contact point for<br />
international co-operation in the field of IT security.</p><br />
<p>https://www.ria.ee/en/cyber-security/cert-ee.html</p><br />
===Difference between SOC/CSIRT/CERT===<br />
<p>How CSIRTs differ from CERTs and SOCs There are overlapping<br />
responsibilities between a community emergency response team (CERT),<br />
computer security incident response team (CSIRT), and security<br />
operations center (SOC). To add to this confusion, frequently, the terms<br />
CERT and CSIRT are used interchangeably, despite the important<br />
differences.</p><br />
<figure><br />
<img src="images/image3.png" alt="Overlapping in images/image3.png" /><br />
<figcaption aria-hidden="true">Overlapping in<br />
images/image3.png</figcaption><br />
</figure><br />
==Understand the primary roles and characteristics of a CERT, CSIRT, and SOC.==<br />
<p>So, using strict definitions, a CERT collects and disseminates<br />
security information, typically for the benefit of a country or an<br />
industry. A CSIRT is a cross-functional team that responds to incidents<br />
on behalf of a country or an organization. A SOC is where a country or<br />
organization monitors and defends its network, servers, applications,<br />
and endpoints.</p><br />
<figure><br />
<img src="images/image4.png" alt="table of explanation images/image4" /><br />
<figcaption aria-hidden="true">table of explanation<br />
images/image4</figcaption><br />
</figure><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
==Future==<br />
<p>And the Cyber security problem is only getting bigger. According to a<br />
report published by Accenture, the number of cyber security breaches<br />
increased by 11 percent from 2017 to 2018. The cost of such breaches is<br />
astronomical–about $600 billion worldwide, according to the Economic<br />
Impact of Cybercrime report.</p><br />
<p>https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me</p><br />
<p>Job projections for cybersecurity are staggering. The Bureau of Labor<br />
Statistics in US predicts that careers in the cybersecurity field will<br />
grow by 32% by 2028. That makes cybersecurity one of the top 10<br />
fastest-growing jobs in the country. In the United States alone, jobs<br />
for Information Security Analysts are expected to grow by 15% by<br />
2024.</p><br />
<p>https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</p><br />
<p>Most likely this trend is also similar in other countries.</p><br />
<p>When checking Estonian job portals, there is a constant need for<br />
people for cyber security related positions. Also, linkedin search gives<br />
approximately 30 vacancies immediately. There are banks, logistics<br />
companies, e-shops, and software producers.</p><br />
<p>https://ee.linkedin.com/jobs/cyber-security-jobs?countryRedirected=1&amp;position=1&amp;pageNum=0</p><br />
<p>Trends that affect companies create need for constant cyber security<br />
services. Increasing number of home/remote offices require secure<br />
corporate networks and security of remote devices. One example is from<br />
this year, when sloppy remote desktop set-up paralyzed systems of 17<br />
companies.</p><br />
<p>https://www.aripaev.ee/uudised/2022/04/20/ria-lohakas-kaugtoolaua-seadistus-halvas-martsis-vahemalt-17-juhul-ettevotete-it-susteemid</p><br />
<p>Also, no service can exists without robust infrastructure - servers,<br />
databases, applications. As all previously mentioned devices and<br />
services are at constant scanning and surveillance. So, the breach<br />
detection and immediate action demands 24/7 services. Even if lot of<br />
things could be automated, there is a need for human specialists (at<br />
least, at the moment). Third growing field is also a forensic<br />
investigation, as every attack must be investigated in order to be ready<br />
to repel next attacks. So data recovery and evidence collection is<br />
another important field of work that need skilled and professional<br />
workers.</p><br />
<p>Even, if the specifics of the entity, be it CSIRT, CERT or SOC, are<br />
different, the fundamentals of the work are the same. Professional<br />
knowledge of the networks, operational systems, hardware, scripting, and<br />
several other wider IT related knowledge is needed. As there is no<br />
single way to reach to it, every single person can find one’s strongest<br />
sides and develop them with knowledge of weaker side, in order to know,<br />
when to as for help.</p><br />
<br />
</body><br />
</html></div>Mavaldhttps://wiki.itcollege.ee/index.php?title=Hiring_a_Cyber_Security_Incident_Analyst&diff=142186Hiring a Cyber Security Incident Analyst2022-05-01T14:51:30Z<p>Mavald: /* CSIRT */</p>
<hr />
<div>==A Cyber Security Incident Analyst==<br />
<br />
[[File:image1.png|600px|thumb|Job advertisement <ref>"Job Advertisement". Available at https://www.projectpeople.com/jobs/</ref>]]<br />
===Cyber security incident analyst in SOC/CSIRT/CERT===<br />
This article delves into the job title of Cyber Security Incident<br />
Analyst and provides an overview of the acronyms SOC/CSIRT/CERT. A brief<br />
history of the job is discussed here, as well as a possible career path,<br />
education, experience, and other characteristics required for work in<br />
computer security-related organizations. The article also provides a<br />
brief history of SOC/CSIRT/CERT, as well as a comparison of their<br />
differences and similarities.<br />
===Cyber Security Incident Analyst Skill Set===<br />
What skill set is expected from the Cyber Security Incident Analyst? Below written lines are taken from the same job advertisement depicted<br />
on the left side of this article:<br />
As a Security Incident Analyst your responsibilities will include:<br />
<ul><br />
<li>Continuous monitoring of security tooling</li><br />
<li>Performing regular and ad-hoc vulnerability assessments</li><br />
<li>Carrying out ‘spot checks’</li><br />
<li>Reporting vulnerabilities to the PVG via the alerts system</li><br />
<li>Maintaining and documenting logging systems</li><br />
<li>Developing centralized logging, reporting and intelligence<br />
platforms</li><br />
<li>‘Light touch’ penetration testing with open source tooling<br />
(Metasploit)</li><br />
</ul><br />
Knowledge &amp; Experience required:<br />
<ul><br />
<li>SOC, CSIRT or CERT operational environment experience</li><br />
<li>Windows / Linux experience</li><br />
<li>TCP /IP networking protocol knowledge</li><br />
<li>Experience reviewing and analyzing Security Events from various<br />
monitoring and logging sources</li><br />
<li>Experience in website and web application security assessment or<br />
penetration testing</li><br />
<li>Experience of using Metasploit</li><br />
<li>Scripting knowledge using BASH, Python, Perl, Ruby</li><br />
<li>Skills in Host and Network Forensics</li><br />
</ul><br />
As one can see the description of the duties is wide and also the<br />
knowledge and experience that is required is noteworthy. So, where to<br />
start to find out the way to get this kind of knowledge and<br />
expertize.<br />
===Possible career path===<br />
Next part of the paper is aiming to depict a possible ways, how to<br />
develop oneself, and move along the career pathway in cybersecurity<br />
field. Topics of development, education, experience and certification<br />
are covered.<br />
[[File:analystimage2.png|1000px|thumb|Career path <ref>"Possible Career Path". Available at https://www.cyberseek.org/pathway.html</ref>]]<br />
<br />
===Junior/Senior===<br />
Start with an entry-level job in IT. Hands-on experience is often the<br />
most effective way to prepare for certification exams. Start<br />
accumulating work experience with an entry-level role as a cybersecurity<br />
analyst. Many cybersecurity professionals start off in more general IT<br />
roles. The skills, practices, and technologies you’ll use as a<br />
cybersecurity professional will continue to evolve along with computer<br />
and network technology. The desire to learn, ability to problem solve,<br />
and attention to detail will serve you well in this field. Other, more<br />
technical skills and technologies to learn include:<ref name="certification">Popular Cyber Security Certificates [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications [Accessed 25 April 2022].</ref><br />
<br />
====SIEM tools (security information and event management)====<br />
Security Information and Event Management (SIEM) is a set of tools<br />
and services offering a holistic view of an organization’s information<br />
security. SIEM works by combining two technologies:<br />
<li>Security information management (SIM), which collects data from log<br />
files for analysis and reports on security threats and events, and</li><br />
<li>security event management (SEM), which conducts real-time system<br />
monitoring, notifies network admins about important issues and<br />
establishes correlations between security events. There are a number of<br />
security information and event management solutions on the market.<br />
ArcSight ESM, IBM QRadar and Splunk are among the most popular. <ref name="SIEM">Application security, SIEM [Online]. Available: https://www.imperva.com/learn/application-security/siem/. [Accessed 27 4 2022].</ref></li><br />
<br />
====Firewalls, Intrusion Detection Systems (IDS), and Intrusion Prevention Systems(IPS)====<br />
Firewalls can be two types, hardware and software firewalls. Software<br />
firewall is a firewall that is installed on a computer or server, and<br />
tasked with network security. It works with a wide variety of other<br />
technology security solutions to provide more robust and cohesive<br />
security for enterprises of all sizes. When a software firewall is<br />
installed on a server, it opens up like an umbrella of protection over<br />
all other computers connected to the network. It is able to monitor both<br />
incoming and outgoing traffic for potential risk or suspicious user<br />
behavior, and also makes setting security policies much easier, faster<br />
and more flexible. Hardware firewall is positioned between the network<br />
and devices, allowing traffic to funnel through the firewall for a close<br />
inspection and analysis. A hardware firewall, a term often<br />
interchangeable with network or next-generation firewall, protects the<br />
network gateways for an enterprise. Hardware firewall is physical<br />
hardware, installed between network elements and connected devices, and<br />
is tasked with filtering traffic for cyber threat to the network or<br />
devices. Filtering out unauthorized or suspicious users based on traffic<br />
analysis is one of the biggest benefits of hardware firewall. <ref name="sangfor">Sangfor, "What is Software Firewall? Difference between Hardware Firewall and Software Firewall, [Online]. Available: https://www.sangfor.com/blog/cybersecurity/what-is-software-firewall-difference-between-hardware-firewall-and-software-firewall [Accessed 26 4 2022].</ref><br />
<br />
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems<br />
(IPS) are both parts of the network infrastructure. IDS/IPS compare<br />
network packets to a cyberthreat database containing known signatures of<br />
cyberattacks — and flag any matching packets. IDS doesn’t alter the<br />
network packets in any way, whereas IPS prevents the packet from<br />
delivery based on the contents of the packet, much like how a firewall<br />
prevents traffic by IP address. <ref name="Varonis">Varonis, "What is Software Firewall? IDS vs. IPS: What is the Difference?, [Online]. Available: https://www.varonis.com/blog/ids-vs-ips [Accessed 26 4 2022].</ref><br />
<br />
====Digital forensics====<br />
Digital forensics is a branch of forensic science that focuses on<br />
identifying, acquiring, processing, analyzing, and reporting on data<br />
stored electronically. Electronic evidence is a component of almost all<br />
criminal activities and digital forensics support is crucial for law<br />
enforcement investigations. Electronic evidence can be collected from a<br />
wide array of sources, such as computers, smartphones, remote storage,<br />
unmanned aerial systems, shipborne equipment, and more.<ref name="interpol">Interpol, "Digital forensics". Available: https://www.interpol.int/How-we-work/Innovation/Digital-forensics. [Accessed 28 4 2022].</ref> <br />
Investigative process of digital forensics can be divided into several stages. There are four major stages: preservation, collection,<br />
examination, and analysis. All these four stages need a deep understanding of computers, technology across a broad spectrum, and cybersecurity principles and<br />
practices, a working knowledge of computers, networks, and coding, in-depth investigative abilities, critical-thinking skills and analytical talent the ability to effectively communicate and work with a<br />
wide range of people. <ref name="ecpi">"Digital forensics". Available: https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me. [Accessed 26 4 2022].</ref><br />
<br />
====Mobile device management====<br />
Mobile device management (MDM) is software that allows IT<br />
administrators to control, secure and enforce policies on smartphones,<br />
tablets and other endpoints. Mobile device management software emerged<br />
in the early 2000s as a way to control and secure the personal digital<br />
assistants and smartphones that business workers began to use. The<br />
consumer smartphone boom that started with the launch of the Apple<br />
iPhone in 2007 led to the bring your own device (BYOD) trend, which<br />
fueled further interest in MDM.<ref name="techtarget">Techtarget, "Mobile Device Management". Available: https://www.techtarget.com/searchmobilecomputing/definition/mobile-device-management [Accessed 27 4 2022].</ref><br />
<br />
====Data management====<br />
Sometimes the data management is neglected, but this part has a<br />
crucial role when learning for good cyber security practices. Majority<br />
of cyber security programs include a special courses on data management.<br />
Data management is a method of organizing and maintaining data processes<br />
that are required in almost every business operations. The benefits of<br />
data management can be found accounting, statistics, logistics planning<br />
and other disciplines including corporate computing.<ref name="GlobalUni">Global Universities, "MSc Data Management and Cyber Security". Available: https://globaluniversities.in/msc-data-management-cyber-security. [Accessed 26 Apr 2022].</ref><br />
Data governance (and management) play a fundamental role in<br />
protecting an organization’s data. Ensuring that the right people have<br />
the right access and that appropriate security controls are in place to<br />
protect each system or service, based on the criticality or sensitivity<br />
of the data sets these contain. <ref name="CyberMagazine">Cyber Security Magazine, "The Role of Data Governance in Cybersecurity". Available: https://cybersecurity-magazine.com/the-role-of-data-governance-in-cybersecurity/?utm_source=rss&amp;utm_medium=rss&amp;utm_campaign=the-role-of-data-governance-in-cybersecurity. [Accessed 26 Apr 2022].</ref><br />
<br />
====Application security development====<br />
Application security describes security measures at the application<br />
level that aim to prevent data or code within the app from being stolen<br />
or hijacked. It encompasses the security considerations that happen<br />
during application development and design, but it also involves systems<br />
and approaches to protect apps after they get deployed. Application<br />
security may include hardware, software, and procedures that identify or<br />
minimize security vulnerabilities.<br />
https://www.vmware.com/topics/glossary/content/application-security.html<br />
Application security development is important to ensure that your<br />
application is free from coding errors and bugs. And controls the risk<br />
and helps safeguard against security vulnerabilities. Application<br />
security development is the process of making applications more secure<br />
by finding and fixing security vulnerabilities. This is often done by<br />
enforcing software security best practices and using application<br />
security testing tools.<br />
<p>https://www.perforce.com/blog/kw/application-security-development-best-practices</p><br />
<br />
====Audit and compliance knowledge====<br />
A cyber security audit is designed to be a comprehensive review and<br />
analysis of your business’s IT infrastructure. It identifies threats and<br />
vulnerabilities, exposing weaknesses and high-risk practices.<br />
Regulations such as the EU GDPR (General Data Protection Regulation) can<br />
impose hefty penalties in the event of a breach that results in<br />
exploited data. A cyber security audit will help mitigate the<br />
consequences of a breach and demonstrate that your organization has<br />
taken the necessary steps to protect client and company data.</p><br />
<p>https://cyforsecure.co.uk/services/cyber-assessment/cyber-security-audit/</p><br />
<p>Cybersecurity compliance is the organizational risk management method<br />
aligned with pre-defined security measures &amp; controls on how data<br />
confidentiality is ensured by its administrational procedures.</p><br />
<p>https://nordlayer.com/blog/cybersecurity-compliance-everything-you-need-to-know/</p><br />
<p>All needed skills are developed through courses and<br />
certification.</p></li><br />
</ul><br />
===Entry-Level Incident Response Positions===<br />
<p>It is not always possible to advance to the position of incident<br />
responder in a straight line. Many professionals advance from entry- to<br />
mid-level positions before becoming a real incident responder or a<br />
member of a computer emergency response team (CERT).<br /><br />
These are some examples:</p><br />
<ul><br />
<li><h5 id="network-administrator">Network administrator</h5><br />
<p>This position’s experience will help potential incident responders<br />
develop networking skills. Attention to detail, as well as the ability<br />
to sift through system configurations, site layouts, and general network<br />
and communication setups, are essential in this field.</p></li><br />
<li><h5 id="system-administrator">System administrator</h5><br />
<p>Another crucial beginning point for an incident responder is to learn<br />
how to manage resources inside your organization as well as user<br />
behavior. Understanding the potential damage that users, inadequate<br />
security setups, and ineffective IT policies and procedures can cause on<br />
your network can provide prospective candidates with insight into the<br />
human component of an incident.</p></li><br />
<li><h5 id="security-administrator">Security administrator</h5><br />
<p>In such a position, basic hacking skills, penetration testing, and<br />
intrusion detection are all learned, which are crucial incident<br />
responder skills when trying to replicate a breach or attack.<br />
Understanding the paths a cybercriminal will take when attempting to<br />
damage or obtain access to a system can greatly simplify the work of<br />
reverse engineering the incident.</p></li><br />
</ul><br />
<p>https://resources.infosecinstitute.com/topic/incident-responder-career-roadmap-entry-level-executive/</p><br />
<h3 id="mid-level-incident-response-positions">Mid-Level Incident<br />
Response Positions</h3><br />
<ul><br />
<li><h5<br />
id="computer-security-incident-response-team-csirt-engineer">Computer<br />
security incident response team (CSIRT) engineer</h5></li><br />
<li><h5 id="cyber-incident-responder">Cyber incident responder</h5></li><br />
<li><h5 id="incident-response-engineer">Incident response<br />
engineer</h5></li><br />
</ul><br />
<p>While each of these positions is different, they generally require<br />
very similar skills and characteristics in a candidate. At this level,<br />
personal characteristics such as problem solving, time management, and<br />
even presentation skills become more crucial as one’s career evolves<br />
into a management-facing role.</p><br />
<p>Technical skills include the ability to identify and minimize threats<br />
while maintaining communication with management and the rest of your<br />
team. Data analysis and evidence gathering become increasingly crucial,<br />
and the circumstances in which your services are deployed get more<br />
serious.</p><br />
<p>Problem-solving skills are crucial at this level of incident<br />
response, and as the stakes rise, so does the pressure in each<br />
situation. At this level, programming abilities are essential since<br />
incident responders may be needed to reverse engineer malicious code or<br />
even create patches for vulnerable network applications or services.</p><br />
<p>https://www.coursera.org/articles/popular-cybersecurity-certifications</p><br />
<h3 id="senior-level-incident-response-positions">Senior-Level Incident<br />
Response Positions</h3><br />
<ul><br />
<li><h5 id="intrusion-detection-specialist">Intrusion detection<br />
specialist:</h5></li><br />
</ul><br />
<p>A CISSP certification might help a potential candidate in preparing<br />
for the profession. The role of an intrusion detection specialist is to<br />
find and stop any unwanted communications.</p><br />
<ul><br />
<li><h5 id="incident-manager">Incident manager:</h5></li><br />
</ul><br />
<p>Expected to plan, oversee, manage, and supervise all incident<br />
response team actions. Is in charge of reporting all current events to<br />
senior management and stakeholders, as well as acting as the technical<br />
lead on active incidents for incident responders. Prepares threat and<br />
impact assessments and reports them known to management.</p><br />
<p>https://www.coursera.org/articles/popular-cybersecurity-certifications</p><br />
<br />
==Certificates== <br />
There is a vast number of different certificates and the road map to<br />
being a certified professional could be very different<ref name="Coursera">Coursera, "10 Popular Cybersecurity Certifications [2022 Updated]," [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications. [Accessed 30 Apr 2022].</ref><br />
<ref name="NICCS">NICCS, "Cybersecurity Certifications," [Online]. Available: hhttps://niccs.cisa.gov/about-niccs/cybersecurity-certifications. [Accessed 30 Apr 2022].</ref> . One possible<br />
approach is to start with basic certificates from the different branches<br />
of service and move to more specific and demanding focused<br />
certification. Also, some jobs require certain clearances, either from<br />
industry, or from the government. One small selection of different<br />
possible certificates is brought out in following paragraphs.<br />
<br />
Security+ is a CompTIA certification that is considered a basic cert<br />
among cybersecurity professionals. It covers the topics of risk<br />
management and threat assessment.<br />
Network+ is also offered by CompTIA this certification (like the name<br />
implies) focuses on networking infrastructure and operations. It is<br />
considered a foundational certification.<br />
The Certified Information Systems Security Professional (CISSP) is a<br />
more advanced certification designed for cybersecurity professionals<br />
with at least five years of work experience. The certification covers<br />
topics such as architecture, engineering, and management.</p><br />
The Certified Ethical Hacker (CEH) certification is also considered a<br />
more advanced cert because it generally requires that applicants have<br />
multiple years of work experience. The goal of an ethical hacker<br />
certification is to be able to understand how cyber attacks unfold in<br />
order to improve threat assessment and mitigation skills.<ref name="cyberguide">Cybersecurity Guide, "How to become a cybersecurity specialist", [Online]. Available: https://cybersecurityguide.org/careers/security-specialist/. [Accessed 27 April 2022].</ref><br />
This is definitely not all, when one looks for more information, following link could be searched, to get more in depth knowledge about<br />
different possibilities. Hereby, with the help of this matrix a possible taxonomy of different 436 listed certificates in branches are<br />
presented.<ref name="Pauljeremy">"Cybersecurity Roadmap," [Online]. Available: https://pauljerimy.com/2020/10/12/scr-oct-2020-update/. [Accessed 30 Apr 2022].</ref><br />
<br />
[[File:analystimage5.png|1000px|thumb|Certificate matrix <ref>"Certification roadmap". Available at https://pauljerimy.com/security-certification-roadmap</ref>]]<br />
<br />
=== Communication and Network Security===<br />
Communication and network security covers the ability to secure<br />
communication channels and networks. Topics include secure and converges<br />
protocols, wireless networks, cellular networks, hardware operations<br />
(warranty and redundant power), and third-party connectivity. IP<br />
networking are also included in this domain.<br />
===Identity and Access Management===<br />
The identity and access management domain covers the attacks that<br />
target the human gateway to gain access to data. Other topics include<br />
ways to identify users with rights to access the information and<br />
servers. Identity and access management covers the topics of<br />
applications, Single sign-on authentication, privilege escalation,<br />
Kerberos, rule-based or risk-based access control, proofing and<br />
establishment of identity.<br />
===Security Architecture and Engineering===<br />
The security architecture and engineering domain covers important<br />
topics concerning security engineering plans, designs and principles,<br />
Topics include assessing and mitigating information system<br />
vulnerabilities, fundamental concepts of security models and security<br />
architectures in critical areas like access control. Cloud systems,<br />
cryptography, system infiltrations (ransomware, fault-injection and<br />
more) and virtualized systems are also covered in this domain.<br />
===Asset Security===<br />
The Asset Security domain deals with the issues related to the<br />
collection, storage, maintenance, retention and destruction of data. It<br />
also covers knowledge of different roles regarding data handling (owner,<br />
controller and custodian) as well as data protection methods and data<br />
states. Other topics include resource provision, asset classification<br />
and data lifecycle management.<br />
===Security and Risk Management===<br />
The security and risk management domain covers general on skills<br />
related to the implementation of user awareness programs as well as<br />
security procedures. Emphasis is also placed on risk management<br />
concerning the acquisition of new services, hardware and software<br />
(supply chain). Other skills include social engineering defense<br />
mechanisms.<br />
===Security Assessment and Testing===<br />
The security assessment and testing domain deals with all the<br />
techniques and tools used to find system vulnerabilities, weaknesses and<br />
potential areas of concern not addressed by security procedures and<br />
policies. Attack simulations, vulnerability assessment, compliance<br />
checks, and ethical disclosure also fall under this domain.<br />
===Software Security===<br />
The software development security domain deals with implementing<br />
software-based security protocols within environment for which the IT<br />
professional is responsible. Risk analysis, vulnerability identification<br />
and auditing of source codes are all covered in this subset. Additional<br />
topics include software-designed security, maturity models, development<br />
methodologies, open-source and third-party development security.<br />
===Security operations===<br />
The security operations domain covers topics ranging from<br />
investigations and digital forensic to detection and intrusion<br />
prevention tools, sandboxing and firewalls. Topics include user and<br />
entity behavior analytics, threat intelligence (threat hunting and<br />
threat feeds) log management, artifacts (mobile, computer and network),<br />
machine learning and AI-based tools, penetration testing, and<br />
exploitation development. These for sub-domains are lister here.</p><br />
<li>Forensics</li><br />
<li>Incident Handling</li><br />
<li>Penetration Testing</li><br />
<li>Exploitation</li><br />
<br />
==Education==<br />
<p>The entry level monitoring specialist is hired by Estonian<br />
Information System Authority even if there is no formal IT education,<br />
but readiness to learn and moderate knowledge of different operation<br />
systems is enough to start the career.</p><br />
<p>https://www.cv.ee/en/vacancy/792782/riigi-infosusteemi-amet/seirespetsialist-tule-eesti-kuberruumi-valvuriks</p><br />
<p>Nevertheless, like most other high qualification careers jobs falling<br />
under the cybersecurity specialist category require some form of formal<br />
education. However, since cybersecurity specialist jobs can fall across<br />
a wide spectrum of job descriptions and responsibilities, it is possible<br />
to obtain a specialist job after completing many levels of different<br />
computer related education.</p><br />
<p>If one is looking for a cybersecurity related education, for example<br />
in EU, 137 courses/programs could be found that relate to keyword IT or<br />
cybersecurity.</p><br />
<p>https://www.enisa.europa.eu/topics/cybersecurity-education/education-map/education-courses</p><br />
<p>Also, there is a great amount of discussion, if cuber security<br />
professional should have a degree or would be certification just enough.<br />
One interesting table is produces by Franklin University that compares<br />
benefits and/or drawbacks of each type of credential.</p><br />
<figure><br />
<img src="images/image11.png" alt="Comparison MSc vs certificate" /><br />
<figcaption aria-hidden="true">Comparison MSc vs<br />
certificate</figcaption><br />
</figure><br />
<p>Certifications are generally good for people with little practical<br />
experience because they are known quantities in the industry and can<br />
help you get your foot in the door. They set a minimum knowledge bar.<br />
But some certifications are viewed more favorably than others.<br />
Certifications with renewal requirements are viewed better by hiring<br />
managers, but they also more costly in the long run because of the need<br />
for continuing education. Certifications are also good for showing<br />
in-depth expertise in a specialization within cybersecurity. Depending<br />
on your career goals, it may be advantageous to have a master’s<br />
degree—which shows your breadth of knowledge, critical thinking and<br />
leadership skills—and a certificate—which shows specific skill<br />
competency.</p><br />
<p>https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</p><br />
<p>As IT (Cyber) Security is still a relatively young discipline,<br />
universities and colleges are still figuring out which is the best<br />
approach for their degrees. Study programmes and curricula in Cyber<br />
Security are different. In general, here are the duration of Cyber<br />
Security degrees:</p><br />
<ul><br />
<li><p>Bachelor’s degrees in Cyber Security take 3 or 4 years in most<br />
countries.</p></li><br />
<li><p>Master’s courses in Cyber Security take between 1-2 years to<br />
complete.</p></li><br />
<li><p>PhD programmes in Cyber Security last 3-5 years. Some only take 1<br />
or 2 years, but they are less common.</p><br />
<p>https://www.mastersportal.com/articles/2722/why-you-should-study-a-cyber-security-degree-in-2022.html</p></li><br />
</ul><br />
<p>Generalization could me made that on bachelor level the general<br />
knowledge about the cyber issues are obtained. On master level the<br />
specialization courses are taken and the person can choose more specific<br />
topics to study. It is on master level where strengths of the cyber<br />
specialist can be developed further and up-do date knowledge obtained in<br />
specifics. PhD is serious science and involves teaching, lot of<br />
scientific work and writing for publications.</p><br />
==Salary==<br />
<p>Even if the salary can be very different, compared to the skills and<br />
experience, an generalization can be made. Cyber Security professionals<br />
in CSIRT, and in other entities earn quite well, from the start. First,<br />
some comparison from the United States. The average CSIRT analyst salary<br />
in the USA is $97,500 per year or $50 per hour. Entry level positions<br />
start at $48,875 per year while most experienced workers make up to<br />
$135,373 per year.</p><br />
<p>https://www.talent.com/salary?job=csirt+analyst</p><br />
<p>There are multiple positions you can occupy in this field. They have<br />
in common great salaries and high demand for technical skills, attention<br />
to details, problem-solving mentality, and the ability to analyze risks.<br />
Here are the average annual salaries in the United States, according to<br />
Payscale:</p><br />
<p>https://www.payscale.com/</p><br />
<ul><br />
<li><p>Cryptographer – 100,000 USD</p></li><br />
<li><p>Information Security Officer – 91,000 USD</p></li><br />
<li><p>Security Assessor – 90,000 USD</p></li><br />
<li><p>Security Engineer – 88,000 USD</p></li><br />
<li><p>Penetration Tester – 81,000 USD</p></li><br />
<li><p>Forensics Expert – 71,000 USD</p></li><br />
<li><p>Security Administrator – 65,000 USD</p><br />
<p>https://www.mastersportal.com/articles/2722/why-you-should-study-a-cyber-security-degree-in-2022.html</p><br />
<p>When looking into salaries in Estonia, one can find that there is a<br />
discussion that private sector is taking a toll from the public sector,<br />
and that the salaries in important agencies, as Information System<br />
Authority loose their employees to the better paid positions in private<br />
sector.</p><br />
<p>https://digi.geenius.ee/rubriik/uudis/kui-palju-riigi-jaoks-olulised-it-tootajad-tegelikult-palka-saavad/<br />
https://tehnika.postimees.ee/6887428/riigi-it-tootajate-palgamaarad-kasvasid</p><br />
<p>But there is also a different view that average private sector worker<br />
could be hired as a top specialist in public sector and then the payment<br />
is higher. Nevertheless, it seems that the average payment in cyber<br />
security sector is any way higher that in other parts of the<br />
e-services.</p><br />
<p>https://digi.geenius.ee/rubriik/uudis/5000-eurostest-palkadest-it-tootajad-saavadki-palju-palka/</p></li><br />
</ul><br />
==SOC==<br />
<p>A SOC is a facility where an organization’s network, applications,<br />
and endpoints are monitored and defended. The term was adapted from<br />
network operations centers (NOCs), where large telecommunication or<br />
corporate networks are monitored. When network security became more of a<br />
concern, security teams were formed within the NOCs, and eventually spun<br />
off into larger organizations of their own as the responsibilities of<br />
security teams grew increasingly complex and specialized. The security<br />
staff working in a security operations center are often called the SOC<br />
team.</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<p>Functions of the SOC team include, but are not limited to:</p><br />
<ol type="1"><br />
<li>Taking inventory of resources, to get a better understanding of the<br />
structure they are protecting.</li><br />
<li>Maintanence of the system, by constantly making updates and adding<br />
safeguards.</li><br />
<li>Monitoring the network for abnormalities with special tools.</li><br />
<li>Threat analysis of new attacks and vulnerabilities.</li><br />
<li>Responding to attacks, by acting as “first responders”. The SOC team<br />
will shut down and/or isolate endpoints, deleting files and lowering the<br />
impact as fast as possible.</li><br />
<li>Recovery of system stability and lost data. This may be done using<br />
backups, restarting endpoints or reconfiguring systems.</li><br />
<li>Logging all actions on the system, to be later used for analysis or<br />
forensics after an attack.</li><br />
<li>Investigating the root cause of an attack.</li><br />
<li>Auditing their own actions, to be in line with regulations of the<br />
organization, industry or governing body.</li><br />
</ol><br />
<p>https://www.trellix.com/en-us/security-awareness/operations/what-is-soc.html</p><br />
==CSIRT==<br />
<p>A CSIRT is a group that responds to security incidents when they<br />
occur. Key responsibilities of a CSIRT include:<ref name="exabeam"</ref><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<ul><br />
===Creating and maintaining an incident response plan (IRP)===<br />
An incident response plan (IRP) is a set of written instructions for<br />
detecting, responding to and limiting the effects of an information<br />
security event. Incident response plans provide instructions for<br />
responding to many potential scenarios, including data breaches, denial<br />
of service/distributed denial of service attacks, firewall breaches,<br />
virus or malware outbreaks or insider threats. Without an incident<br />
response plan in place, organizations may either not detect the attack<br />
in the first place, or not follow proper protocol to contain the threat<br />
and recover from it when a breach is detected.<br />
<p>https://www.stratacore.com/incidentresponseplan</p></li><br />
===Investigating and analyzing incidents===<br />
CSIRTs are also involved in improvement activities. After major<br />
computer security incidents occur, or when incidents are not handled in<br />
a timely or effective manner, a CSIRT will generally perform a<br />
postmortem of the incident and its response. This postmortem will<br />
identify the strengths and weakness of the response effort. Such reviews<br />
can identify weaknesses and holes in systems, infrastructure defenses,<br />
or policies that allowed the incident to take place. It can also<br />
identify problems with communication channels, interfaces, and<br />
procedures that inhibited the efficient resolution of the reported<br />
problem.<br />
<p>https://www.cisa.gov/uscert/bsi/articles/best-practices/incident-management/defining-computer-security-incident-response-teams</p><br />
<br />
===Managing internal communications and updates during or immediately after incidents occur===<br />
===Communicating with employees, shareholders, customers, and the press about incidents as needed===<br />
<p>There are various services within the CSIRT Services Framework that<br />
address communications, as they relate to security operations and<br />
incident response services. Some of these include Information Security<br />
Incident Coordination, Crisis Management Support, Vulnerability<br />
Disclosure, Situational Awareness Communication, and Awareness Building,<br />
to name a few. Sharing information and communicating with the general<br />
public and/or your constituency is appropriate in many different<br />
scenarios. These can range from proactive communications to reactive<br />
communications. Each scenario may be unique, and careful consideration<br />
should be given to when to release information to the public and what<br />
information should be released.</p><br />
<br />
<p>https://resources.sei.cmu.edu/asset_files/Handbook/2021_002_001_651819.pdf</p><br />
<br />
===Remediating incidents===<br />
Threat remediation is a strong and capable tool for fighting the<br />
cyber security compromises. As the word ‘remedy’ suggests, remediation<br />
process involves the treatment of a security breach. With the<br />
remediation practices, your cyber security team is able to eliminate<br />
suspicious activities and malicious attacks in the form of malware,<br />
ransomware, phishing and such. Even if you ‘kill’ the suspicious<br />
activity, the attackers can remain in your systems. If you want to<br />
contaminate and end the problem for good, your remediation processes<br />
must involve the detection of the cause. <ref name="logsign">Logsign, "What-is-remediation-in-cyber-security". Available: https://www.logsign.com/blog/what-is-remediation-in-cyber-security/. [Accessed 28 Apr 2022].</ref><br />
<br />
===Recommending technology, policy, governance, and training changes after security incidents===<br />
After all these actions, the SCIRT must contribute to the development<br />
of better policies, practices and has to recommend improvements. They<br />
are not working in the vacuum and their work has to create new and<br />
better standards for cyber security. <ref name="exabeam">Exabeam, "CSIRT". Available: https://www.exabeam.com/incident-response/csirt/ [Accessed 28 APr 2022].</ref><br />
<br />
==CERT==<br />
<p>The term “computer emergency response team” was coined in 1988. In<br />
response to the Morris worm attack that impacted thousands of servers on<br />
the Internet, DARPA funded the formation of the Computer Emergency<br />
Response Team Coordination Center (CERT-CC) at Carnegie Mellon<br />
University. The goal of CERT-CC was to help protect the internet by<br />
collecting and disseminating information on critical security<br />
vulnerabilities. Several other countries formed similar centers using<br />
the same acronym (despite threats of legal action by Carnegie Mellon for<br />
trademark infringement). Now the term CERT refers to any emergency<br />
response team that deals with cyber threats. Many people use CERT-CC<br />
interchangeably with CSIRT, though the charter of a CERT is information<br />
sharing in order to help other response teams respond to threats against<br />
their own infrastructure.</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<p>In general, the designation of CERT is helpful in applying real-world<br />
solutions to various cybersecurity problems. They may be government<br />
contractors or employees of a major corporation. For example, the U.S.<br />
Computer Emergency Readiness Team (US-CERT) operates under the U.S.<br />
Department of Homeland Security.</p><br />
<p>https://www.techopedia.com/definition/31003/computer-emergency-response-team-cert</p><br />
<p>In Estonia CERT is designated as CERT-EE. It was established in 2006,<br />
as an organization responsible for the management of security incidents<br />
in .ee computer networks. It is also a national contact point for<br />
international co-operation in the field of IT security.</p><br />
<p>https://www.ria.ee/en/cyber-security/cert-ee.html</p><br />
===Difference between SOC/CSIRT/CERT===<br />
<p>How CSIRTs differ from CERTs and SOCs There are overlapping<br />
responsibilities between a community emergency response team (CERT),<br />
computer security incident response team (CSIRT), and security<br />
operations center (SOC). To add to this confusion, frequently, the terms<br />
CERT and CSIRT are used interchangeably, despite the important<br />
differences.</p><br />
<figure><br />
<img src="images/image3.png" alt="Overlapping in images/image3.png" /><br />
<figcaption aria-hidden="true">Overlapping in<br />
images/image3.png</figcaption><br />
</figure><br />
==Understand the primary roles and characteristics of a CERT, CSIRT, and SOC.==<br />
<p>So, using strict definitions, a CERT collects and disseminates<br />
security information, typically for the benefit of a country or an<br />
industry. A CSIRT is a cross-functional team that responds to incidents<br />
on behalf of a country or an organization. A SOC is where a country or<br />
organization monitors and defends its network, servers, applications,<br />
and endpoints.</p><br />
<figure><br />
<img src="images/image4.png" alt="table of explanation images/image4" /><br />
<figcaption aria-hidden="true">table of explanation<br />
images/image4</figcaption><br />
</figure><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
==Future==<br />
<p>And the Cyber security problem is only getting bigger. According to a<br />
report published by Accenture, the number of cyber security breaches<br />
increased by 11 percent from 2017 to 2018. The cost of such breaches is<br />
astronomical–about $600 billion worldwide, according to the Economic<br />
Impact of Cybercrime report.</p><br />
<p>https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me</p><br />
<p>Job projections for cybersecurity are staggering. The Bureau of Labor<br />
Statistics in US predicts that careers in the cybersecurity field will<br />
grow by 32% by 2028. That makes cybersecurity one of the top 10<br />
fastest-growing jobs in the country. In the United States alone, jobs<br />
for Information Security Analysts are expected to grow by 15% by<br />
2024.</p><br />
<p>https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</p><br />
<p>Most likely this trend is also similar in other countries.</p><br />
<p>When checking Estonian job portals, there is a constant need for<br />
people for cyber security related positions. Also, linkedin search gives<br />
approximately 30 vacancies immediately. There are banks, logistics<br />
companies, e-shops, and software producers.</p><br />
<p>https://ee.linkedin.com/jobs/cyber-security-jobs?countryRedirected=1&amp;position=1&amp;pageNum=0</p><br />
<p>Trends that affect companies create need for constant cyber security<br />
services. Increasing number of home/remote offices require secure<br />
corporate networks and security of remote devices. One example is from<br />
this year, when sloppy remote desktop set-up paralyzed systems of 17<br />
companies.</p><br />
<p>https://www.aripaev.ee/uudised/2022/04/20/ria-lohakas-kaugtoolaua-seadistus-halvas-martsis-vahemalt-17-juhul-ettevotete-it-susteemid</p><br />
<p>Also, no service can exists without robust infrastructure - servers,<br />
databases, applications. As all previously mentioned devices and<br />
services are at constant scanning and surveillance. So, the breach<br />
detection and immediate action demands 24/7 services. Even if lot of<br />
things could be automated, there is a need for human specialists (at<br />
least, at the moment). Third growing field is also a forensic<br />
investigation, as every attack must be investigated in order to be ready<br />
to repel next attacks. So data recovery and evidence collection is<br />
another important field of work that need skilled and professional<br />
workers.</p><br />
<p>Even, if the specifics of the entity, be it CSIRT, CERT or SOC, are<br />
different, the fundamentals of the work are the same. Professional<br />
knowledge of the networks, operational systems, hardware, scripting, and<br />
several other wider IT related knowledge is needed. As there is no<br />
single way to reach to it, every single person can find one’s strongest<br />
sides and develop them with knowledge of weaker side, in order to know,<br />
when to as for help.</p><br />
<br />
</body><br />
</html></div>Mavaldhttps://wiki.itcollege.ee/index.php?title=Hiring_a_Cyber_Security_Incident_Analyst&diff=142185Hiring a Cyber Security Incident Analyst2022-05-01T14:50:19Z<p>Mavald: /* Remediating incidents */</p>
<hr />
<div>==A Cyber Security Incident Analyst==<br />
<br />
[[File:image1.png|600px|thumb|Job advertisement <ref>"Job Advertisement". Available at https://www.projectpeople.com/jobs/</ref>]]<br />
===Cyber security incident analyst in SOC/CSIRT/CERT===<br />
This article delves into the job title of Cyber Security Incident<br />
Analyst and provides an overview of the acronyms SOC/CSIRT/CERT. A brief<br />
history of the job is discussed here, as well as a possible career path,<br />
education, experience, and other characteristics required for work in<br />
computer security-related organizations. The article also provides a<br />
brief history of SOC/CSIRT/CERT, as well as a comparison of their<br />
differences and similarities.<br />
===Cyber Security Incident Analyst Skill Set===<br />
What skill set is expected from the Cyber Security Incident Analyst? Below written lines are taken from the same job advertisement depicted<br />
on the left side of this article:<br />
As a Security Incident Analyst your responsibilities will include:<br />
<ul><br />
<li>Continuous monitoring of security tooling</li><br />
<li>Performing regular and ad-hoc vulnerability assessments</li><br />
<li>Carrying out ‘spot checks’</li><br />
<li>Reporting vulnerabilities to the PVG via the alerts system</li><br />
<li>Maintaining and documenting logging systems</li><br />
<li>Developing centralized logging, reporting and intelligence<br />
platforms</li><br />
<li>‘Light touch’ penetration testing with open source tooling<br />
(Metasploit)</li><br />
</ul><br />
Knowledge &amp; Experience required:<br />
<ul><br />
<li>SOC, CSIRT or CERT operational environment experience</li><br />
<li>Windows / Linux experience</li><br />
<li>TCP /IP networking protocol knowledge</li><br />
<li>Experience reviewing and analyzing Security Events from various<br />
monitoring and logging sources</li><br />
<li>Experience in website and web application security assessment or<br />
penetration testing</li><br />
<li>Experience of using Metasploit</li><br />
<li>Scripting knowledge using BASH, Python, Perl, Ruby</li><br />
<li>Skills in Host and Network Forensics</li><br />
</ul><br />
As one can see the description of the duties is wide and also the<br />
knowledge and experience that is required is noteworthy. So, where to<br />
start to find out the way to get this kind of knowledge and<br />
expertize.<br />
===Possible career path===<br />
Next part of the paper is aiming to depict a possible ways, how to<br />
develop oneself, and move along the career pathway in cybersecurity<br />
field. Topics of development, education, experience and certification<br />
are covered.<br />
[[File:analystimage2.png|1000px|thumb|Career path <ref>"Possible Career Path". Available at https://www.cyberseek.org/pathway.html</ref>]]<br />
<br />
===Junior/Senior===<br />
Start with an entry-level job in IT. Hands-on experience is often the<br />
most effective way to prepare for certification exams. Start<br />
accumulating work experience with an entry-level role as a cybersecurity<br />
analyst. Many cybersecurity professionals start off in more general IT<br />
roles. The skills, practices, and technologies you’ll use as a<br />
cybersecurity professional will continue to evolve along with computer<br />
and network technology. The desire to learn, ability to problem solve,<br />
and attention to detail will serve you well in this field. Other, more<br />
technical skills and technologies to learn include:<ref name="certification">Popular Cyber Security Certificates [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications [Accessed 25 April 2022].</ref><br />
<br />
====SIEM tools (security information and event management)====<br />
Security Information and Event Management (SIEM) is a set of tools<br />
and services offering a holistic view of an organization’s information<br />
security. SIEM works by combining two technologies:<br />
<li>Security information management (SIM), which collects data from log<br />
files for analysis and reports on security threats and events, and</li><br />
<li>security event management (SEM), which conducts real-time system<br />
monitoring, notifies network admins about important issues and<br />
establishes correlations between security events. There are a number of<br />
security information and event management solutions on the market.<br />
ArcSight ESM, IBM QRadar and Splunk are among the most popular. <ref name="SIEM">Application security, SIEM [Online]. Available: https://www.imperva.com/learn/application-security/siem/. [Accessed 27 4 2022].</ref></li><br />
<br />
====Firewalls, Intrusion Detection Systems (IDS), and Intrusion Prevention Systems(IPS)====<br />
Firewalls can be two types, hardware and software firewalls. Software<br />
firewall is a firewall that is installed on a computer or server, and<br />
tasked with network security. It works with a wide variety of other<br />
technology security solutions to provide more robust and cohesive<br />
security for enterprises of all sizes. When a software firewall is<br />
installed on a server, it opens up like an umbrella of protection over<br />
all other computers connected to the network. It is able to monitor both<br />
incoming and outgoing traffic for potential risk or suspicious user<br />
behavior, and also makes setting security policies much easier, faster<br />
and more flexible. Hardware firewall is positioned between the network<br />
and devices, allowing traffic to funnel through the firewall for a close<br />
inspection and analysis. A hardware firewall, a term often<br />
interchangeable with network or next-generation firewall, protects the<br />
network gateways for an enterprise. Hardware firewall is physical<br />
hardware, installed between network elements and connected devices, and<br />
is tasked with filtering traffic for cyber threat to the network or<br />
devices. Filtering out unauthorized or suspicious users based on traffic<br />
analysis is one of the biggest benefits of hardware firewall. <ref name="sangfor">Sangfor, "What is Software Firewall? Difference between Hardware Firewall and Software Firewall, [Online]. Available: https://www.sangfor.com/blog/cybersecurity/what-is-software-firewall-difference-between-hardware-firewall-and-software-firewall [Accessed 26 4 2022].</ref><br />
<br />
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems<br />
(IPS) are both parts of the network infrastructure. IDS/IPS compare<br />
network packets to a cyberthreat database containing known signatures of<br />
cyberattacks — and flag any matching packets. IDS doesn’t alter the<br />
network packets in any way, whereas IPS prevents the packet from<br />
delivery based on the contents of the packet, much like how a firewall<br />
prevents traffic by IP address. <ref name="Varonis">Varonis, "What is Software Firewall? IDS vs. IPS: What is the Difference?, [Online]. Available: https://www.varonis.com/blog/ids-vs-ips [Accessed 26 4 2022].</ref><br />
<br />
====Digital forensics====<br />
Digital forensics is a branch of forensic science that focuses on<br />
identifying, acquiring, processing, analyzing, and reporting on data<br />
stored electronically. Electronic evidence is a component of almost all<br />
criminal activities and digital forensics support is crucial for law<br />
enforcement investigations. Electronic evidence can be collected from a<br />
wide array of sources, such as computers, smartphones, remote storage,<br />
unmanned aerial systems, shipborne equipment, and more.<ref name="interpol">Interpol, "Digital forensics". Available: https://www.interpol.int/How-we-work/Innovation/Digital-forensics. [Accessed 28 4 2022].</ref> <br />
Investigative process of digital forensics can be divided into several stages. There are four major stages: preservation, collection,<br />
examination, and analysis. All these four stages need a deep understanding of computers, technology across a broad spectrum, and cybersecurity principles and<br />
practices, a working knowledge of computers, networks, and coding, in-depth investigative abilities, critical-thinking skills and analytical talent the ability to effectively communicate and work with a<br />
wide range of people. <ref name="ecpi">"Digital forensics". Available: https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me. [Accessed 26 4 2022].</ref><br />
<br />
====Mobile device management====<br />
Mobile device management (MDM) is software that allows IT<br />
administrators to control, secure and enforce policies on smartphones,<br />
tablets and other endpoints. Mobile device management software emerged<br />
in the early 2000s as a way to control and secure the personal digital<br />
assistants and smartphones that business workers began to use. The<br />
consumer smartphone boom that started with the launch of the Apple<br />
iPhone in 2007 led to the bring your own device (BYOD) trend, which<br />
fueled further interest in MDM.<ref name="techtarget">Techtarget, "Mobile Device Management". Available: https://www.techtarget.com/searchmobilecomputing/definition/mobile-device-management [Accessed 27 4 2022].</ref><br />
<br />
====Data management====<br />
Sometimes the data management is neglected, but this part has a<br />
crucial role when learning for good cyber security practices. Majority<br />
of cyber security programs include a special courses on data management.<br />
Data management is a method of organizing and maintaining data processes<br />
that are required in almost every business operations. The benefits of<br />
data management can be found accounting, statistics, logistics planning<br />
and other disciplines including corporate computing.<ref name="GlobalUni">Global Universities, "MSc Data Management and Cyber Security". Available: https://globaluniversities.in/msc-data-management-cyber-security. [Accessed 26 Apr 2022].</ref><br />
Data governance (and management) play a fundamental role in<br />
protecting an organization’s data. Ensuring that the right people have<br />
the right access and that appropriate security controls are in place to<br />
protect each system or service, based on the criticality or sensitivity<br />
of the data sets these contain. <ref name="CyberMagazine">Cyber Security Magazine, "The Role of Data Governance in Cybersecurity". Available: https://cybersecurity-magazine.com/the-role-of-data-governance-in-cybersecurity/?utm_source=rss&amp;utm_medium=rss&amp;utm_campaign=the-role-of-data-governance-in-cybersecurity. [Accessed 26 Apr 2022].</ref><br />
<br />
====Application security development====<br />
Application security describes security measures at the application<br />
level that aim to prevent data or code within the app from being stolen<br />
or hijacked. It encompasses the security considerations that happen<br />
during application development and design, but it also involves systems<br />
and approaches to protect apps after they get deployed. Application<br />
security may include hardware, software, and procedures that identify or<br />
minimize security vulnerabilities.<br />
https://www.vmware.com/topics/glossary/content/application-security.html<br />
Application security development is important to ensure that your<br />
application is free from coding errors and bugs. And controls the risk<br />
and helps safeguard against security vulnerabilities. Application<br />
security development is the process of making applications more secure<br />
by finding and fixing security vulnerabilities. This is often done by<br />
enforcing software security best practices and using application<br />
security testing tools.<br />
<p>https://www.perforce.com/blog/kw/application-security-development-best-practices</p><br />
<br />
====Audit and compliance knowledge====<br />
A cyber security audit is designed to be a comprehensive review and<br />
analysis of your business’s IT infrastructure. It identifies threats and<br />
vulnerabilities, exposing weaknesses and high-risk practices.<br />
Regulations such as the EU GDPR (General Data Protection Regulation) can<br />
impose hefty penalties in the event of a breach that results in<br />
exploited data. A cyber security audit will help mitigate the<br />
consequences of a breach and demonstrate that your organization has<br />
taken the necessary steps to protect client and company data.</p><br />
<p>https://cyforsecure.co.uk/services/cyber-assessment/cyber-security-audit/</p><br />
<p>Cybersecurity compliance is the organizational risk management method<br />
aligned with pre-defined security measures &amp; controls on how data<br />
confidentiality is ensured by its administrational procedures.</p><br />
<p>https://nordlayer.com/blog/cybersecurity-compliance-everything-you-need-to-know/</p><br />
<p>All needed skills are developed through courses and<br />
certification.</p></li><br />
</ul><br />
===Entry-Level Incident Response Positions===<br />
<p>It is not always possible to advance to the position of incident<br />
responder in a straight line. Many professionals advance from entry- to<br />
mid-level positions before becoming a real incident responder or a<br />
member of a computer emergency response team (CERT).<br /><br />
These are some examples:</p><br />
<ul><br />
<li><h5 id="network-administrator">Network administrator</h5><br />
<p>This position’s experience will help potential incident responders<br />
develop networking skills. Attention to detail, as well as the ability<br />
to sift through system configurations, site layouts, and general network<br />
and communication setups, are essential in this field.</p></li><br />
<li><h5 id="system-administrator">System administrator</h5><br />
<p>Another crucial beginning point for an incident responder is to learn<br />
how to manage resources inside your organization as well as user<br />
behavior. Understanding the potential damage that users, inadequate<br />
security setups, and ineffective IT policies and procedures can cause on<br />
your network can provide prospective candidates with insight into the<br />
human component of an incident.</p></li><br />
<li><h5 id="security-administrator">Security administrator</h5><br />
<p>In such a position, basic hacking skills, penetration testing, and<br />
intrusion detection are all learned, which are crucial incident<br />
responder skills when trying to replicate a breach or attack.<br />
Understanding the paths a cybercriminal will take when attempting to<br />
damage or obtain access to a system can greatly simplify the work of<br />
reverse engineering the incident.</p></li><br />
</ul><br />
<p>https://resources.infosecinstitute.com/topic/incident-responder-career-roadmap-entry-level-executive/</p><br />
<h3 id="mid-level-incident-response-positions">Mid-Level Incident<br />
Response Positions</h3><br />
<ul><br />
<li><h5<br />
id="computer-security-incident-response-team-csirt-engineer">Computer<br />
security incident response team (CSIRT) engineer</h5></li><br />
<li><h5 id="cyber-incident-responder">Cyber incident responder</h5></li><br />
<li><h5 id="incident-response-engineer">Incident response<br />
engineer</h5></li><br />
</ul><br />
<p>While each of these positions is different, they generally require<br />
very similar skills and characteristics in a candidate. At this level,<br />
personal characteristics such as problem solving, time management, and<br />
even presentation skills become more crucial as one’s career evolves<br />
into a management-facing role.</p><br />
<p>Technical skills include the ability to identify and minimize threats<br />
while maintaining communication with management and the rest of your<br />
team. Data analysis and evidence gathering become increasingly crucial,<br />
and the circumstances in which your services are deployed get more<br />
serious.</p><br />
<p>Problem-solving skills are crucial at this level of incident<br />
response, and as the stakes rise, so does the pressure in each<br />
situation. At this level, programming abilities are essential since<br />
incident responders may be needed to reverse engineer malicious code or<br />
even create patches for vulnerable network applications or services.</p><br />
<p>https://www.coursera.org/articles/popular-cybersecurity-certifications</p><br />
<h3 id="senior-level-incident-response-positions">Senior-Level Incident<br />
Response Positions</h3><br />
<ul><br />
<li><h5 id="intrusion-detection-specialist">Intrusion detection<br />
specialist:</h5></li><br />
</ul><br />
<p>A CISSP certification might help a potential candidate in preparing<br />
for the profession. The role of an intrusion detection specialist is to<br />
find and stop any unwanted communications.</p><br />
<ul><br />
<li><h5 id="incident-manager">Incident manager:</h5></li><br />
</ul><br />
<p>Expected to plan, oversee, manage, and supervise all incident<br />
response team actions. Is in charge of reporting all current events to<br />
senior management and stakeholders, as well as acting as the technical<br />
lead on active incidents for incident responders. Prepares threat and<br />
impact assessments and reports them known to management.</p><br />
<p>https://www.coursera.org/articles/popular-cybersecurity-certifications</p><br />
<br />
==Certificates== <br />
There is a vast number of different certificates and the road map to<br />
being a certified professional could be very different<ref name="Coursera">Coursera, "10 Popular Cybersecurity Certifications [2022 Updated]," [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications. [Accessed 30 Apr 2022].</ref><br />
<ref name="NICCS">NICCS, "Cybersecurity Certifications," [Online]. Available: hhttps://niccs.cisa.gov/about-niccs/cybersecurity-certifications. [Accessed 30 Apr 2022].</ref> . One possible<br />
approach is to start with basic certificates from the different branches<br />
of service and move to more specific and demanding focused<br />
certification. Also, some jobs require certain clearances, either from<br />
industry, or from the government. One small selection of different<br />
possible certificates is brought out in following paragraphs.<br />
<br />
Security+ is a CompTIA certification that is considered a basic cert<br />
among cybersecurity professionals. It covers the topics of risk<br />
management and threat assessment.<br />
Network+ is also offered by CompTIA this certification (like the name<br />
implies) focuses on networking infrastructure and operations. It is<br />
considered a foundational certification.<br />
The Certified Information Systems Security Professional (CISSP) is a<br />
more advanced certification designed for cybersecurity professionals<br />
with at least five years of work experience. The certification covers<br />
topics such as architecture, engineering, and management.</p><br />
The Certified Ethical Hacker (CEH) certification is also considered a<br />
more advanced cert because it generally requires that applicants have<br />
multiple years of work experience. The goal of an ethical hacker<br />
certification is to be able to understand how cyber attacks unfold in<br />
order to improve threat assessment and mitigation skills.<ref name="cyberguide">Cybersecurity Guide, "How to become a cybersecurity specialist", [Online]. Available: https://cybersecurityguide.org/careers/security-specialist/. [Accessed 27 April 2022].</ref><br />
This is definitely not all, when one looks for more information, following link could be searched, to get more in depth knowledge about<br />
different possibilities. Hereby, with the help of this matrix a possible taxonomy of different 436 listed certificates in branches are<br />
presented.<ref name="Pauljeremy">"Cybersecurity Roadmap," [Online]. Available: https://pauljerimy.com/2020/10/12/scr-oct-2020-update/. [Accessed 30 Apr 2022].</ref><br />
<br />
[[File:analystimage5.png|1000px|thumb|Certificate matrix <ref>"Certification roadmap". Available at https://pauljerimy.com/security-certification-roadmap</ref>]]<br />
<br />
=== Communication and Network Security===<br />
Communication and network security covers the ability to secure<br />
communication channels and networks. Topics include secure and converges<br />
protocols, wireless networks, cellular networks, hardware operations<br />
(warranty and redundant power), and third-party connectivity. IP<br />
networking are also included in this domain.<br />
===Identity and Access Management===<br />
The identity and access management domain covers the attacks that<br />
target the human gateway to gain access to data. Other topics include<br />
ways to identify users with rights to access the information and<br />
servers. Identity and access management covers the topics of<br />
applications, Single sign-on authentication, privilege escalation,<br />
Kerberos, rule-based or risk-based access control, proofing and<br />
establishment of identity.<br />
===Security Architecture and Engineering===<br />
The security architecture and engineering domain covers important<br />
topics concerning security engineering plans, designs and principles,<br />
Topics include assessing and mitigating information system<br />
vulnerabilities, fundamental concepts of security models and security<br />
architectures in critical areas like access control. Cloud systems,<br />
cryptography, system infiltrations (ransomware, fault-injection and<br />
more) and virtualized systems are also covered in this domain.<br />
===Asset Security===<br />
The Asset Security domain deals with the issues related to the<br />
collection, storage, maintenance, retention and destruction of data. It<br />
also covers knowledge of different roles regarding data handling (owner,<br />
controller and custodian) as well as data protection methods and data<br />
states. Other topics include resource provision, asset classification<br />
and data lifecycle management.<br />
===Security and Risk Management===<br />
The security and risk management domain covers general on skills<br />
related to the implementation of user awareness programs as well as<br />
security procedures. Emphasis is also placed on risk management<br />
concerning the acquisition of new services, hardware and software<br />
(supply chain). Other skills include social engineering defense<br />
mechanisms.<br />
===Security Assessment and Testing===<br />
The security assessment and testing domain deals with all the<br />
techniques and tools used to find system vulnerabilities, weaknesses and<br />
potential areas of concern not addressed by security procedures and<br />
policies. Attack simulations, vulnerability assessment, compliance<br />
checks, and ethical disclosure also fall under this domain.<br />
===Software Security===<br />
The software development security domain deals with implementing<br />
software-based security protocols within environment for which the IT<br />
professional is responsible. Risk analysis, vulnerability identification<br />
and auditing of source codes are all covered in this subset. Additional<br />
topics include software-designed security, maturity models, development<br />
methodologies, open-source and third-party development security.<br />
===Security operations===<br />
The security operations domain covers topics ranging from<br />
investigations and digital forensic to detection and intrusion<br />
prevention tools, sandboxing and firewalls. Topics include user and<br />
entity behavior analytics, threat intelligence (threat hunting and<br />
threat feeds) log management, artifacts (mobile, computer and network),<br />
machine learning and AI-based tools, penetration testing, and<br />
exploitation development. These for sub-domains are lister here.</p><br />
<li>Forensics</li><br />
<li>Incident Handling</li><br />
<li>Penetration Testing</li><br />
<li>Exploitation</li><br />
<br />
==Education==<br />
<p>The entry level monitoring specialist is hired by Estonian<br />
Information System Authority even if there is no formal IT education,<br />
but readiness to learn and moderate knowledge of different operation<br />
systems is enough to start the career.</p><br />
<p>https://www.cv.ee/en/vacancy/792782/riigi-infosusteemi-amet/seirespetsialist-tule-eesti-kuberruumi-valvuriks</p><br />
<p>Nevertheless, like most other high qualification careers jobs falling<br />
under the cybersecurity specialist category require some form of formal<br />
education. However, since cybersecurity specialist jobs can fall across<br />
a wide spectrum of job descriptions and responsibilities, it is possible<br />
to obtain a specialist job after completing many levels of different<br />
computer related education.</p><br />
<p>If one is looking for a cybersecurity related education, for example<br />
in EU, 137 courses/programs could be found that relate to keyword IT or<br />
cybersecurity.</p><br />
<p>https://www.enisa.europa.eu/topics/cybersecurity-education/education-map/education-courses</p><br />
<p>Also, there is a great amount of discussion, if cuber security<br />
professional should have a degree or would be certification just enough.<br />
One interesting table is produces by Franklin University that compares<br />
benefits and/or drawbacks of each type of credential.</p><br />
<figure><br />
<img src="images/image11.png" alt="Comparison MSc vs certificate" /><br />
<figcaption aria-hidden="true">Comparison MSc vs<br />
certificate</figcaption><br />
</figure><br />
<p>Certifications are generally good for people with little practical<br />
experience because they are known quantities in the industry and can<br />
help you get your foot in the door. They set a minimum knowledge bar.<br />
But some certifications are viewed more favorably than others.<br />
Certifications with renewal requirements are viewed better by hiring<br />
managers, but they also more costly in the long run because of the need<br />
for continuing education. Certifications are also good for showing<br />
in-depth expertise in a specialization within cybersecurity. Depending<br />
on your career goals, it may be advantageous to have a master’s<br />
degree—which shows your breadth of knowledge, critical thinking and<br />
leadership skills—and a certificate—which shows specific skill<br />
competency.</p><br />
<p>https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</p><br />
<p>As IT (Cyber) Security is still a relatively young discipline,<br />
universities and colleges are still figuring out which is the best<br />
approach for their degrees. Study programmes and curricula in Cyber<br />
Security are different. In general, here are the duration of Cyber<br />
Security degrees:</p><br />
<ul><br />
<li><p>Bachelor’s degrees in Cyber Security take 3 or 4 years in most<br />
countries.</p></li><br />
<li><p>Master’s courses in Cyber Security take between 1-2 years to<br />
complete.</p></li><br />
<li><p>PhD programmes in Cyber Security last 3-5 years. Some only take 1<br />
or 2 years, but they are less common.</p><br />
<p>https://www.mastersportal.com/articles/2722/why-you-should-study-a-cyber-security-degree-in-2022.html</p></li><br />
</ul><br />
<p>Generalization could me made that on bachelor level the general<br />
knowledge about the cyber issues are obtained. On master level the<br />
specialization courses are taken and the person can choose more specific<br />
topics to study. It is on master level where strengths of the cyber<br />
specialist can be developed further and up-do date knowledge obtained in<br />
specifics. PhD is serious science and involves teaching, lot of<br />
scientific work and writing for publications.</p><br />
==Salary==<br />
<p>Even if the salary can be very different, compared to the skills and<br />
experience, an generalization can be made. Cyber Security professionals<br />
in CSIRT, and in other entities earn quite well, from the start. First,<br />
some comparison from the United States. The average CSIRT analyst salary<br />
in the USA is $97,500 per year or $50 per hour. Entry level positions<br />
start at $48,875 per year while most experienced workers make up to<br />
$135,373 per year.</p><br />
<p>https://www.talent.com/salary?job=csirt+analyst</p><br />
<p>There are multiple positions you can occupy in this field. They have<br />
in common great salaries and high demand for technical skills, attention<br />
to details, problem-solving mentality, and the ability to analyze risks.<br />
Here are the average annual salaries in the United States, according to<br />
Payscale:</p><br />
<p>https://www.payscale.com/</p><br />
<ul><br />
<li><p>Cryptographer – 100,000 USD</p></li><br />
<li><p>Information Security Officer – 91,000 USD</p></li><br />
<li><p>Security Assessor – 90,000 USD</p></li><br />
<li><p>Security Engineer – 88,000 USD</p></li><br />
<li><p>Penetration Tester – 81,000 USD</p></li><br />
<li><p>Forensics Expert – 71,000 USD</p></li><br />
<li><p>Security Administrator – 65,000 USD</p><br />
<p>https://www.mastersportal.com/articles/2722/why-you-should-study-a-cyber-security-degree-in-2022.html</p><br />
<p>When looking into salaries in Estonia, one can find that there is a<br />
discussion that private sector is taking a toll from the public sector,<br />
and that the salaries in important agencies, as Information System<br />
Authority loose their employees to the better paid positions in private<br />
sector.</p><br />
<p>https://digi.geenius.ee/rubriik/uudis/kui-palju-riigi-jaoks-olulised-it-tootajad-tegelikult-palka-saavad/<br />
https://tehnika.postimees.ee/6887428/riigi-it-tootajate-palgamaarad-kasvasid</p><br />
<p>But there is also a different view that average private sector worker<br />
could be hired as a top specialist in public sector and then the payment<br />
is higher. Nevertheless, it seems that the average payment in cyber<br />
security sector is any way higher that in other parts of the<br />
e-services.</p><br />
<p>https://digi.geenius.ee/rubriik/uudis/5000-eurostest-palkadest-it-tootajad-saavadki-palju-palka/</p></li><br />
</ul><br />
==SOC==<br />
<p>A SOC is a facility where an organization’s network, applications,<br />
and endpoints are monitored and defended. The term was adapted from<br />
network operations centers (NOCs), where large telecommunication or<br />
corporate networks are monitored. When network security became more of a<br />
concern, security teams were formed within the NOCs, and eventually spun<br />
off into larger organizations of their own as the responsibilities of<br />
security teams grew increasingly complex and specialized. The security<br />
staff working in a security operations center are often called the SOC<br />
team.</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<p>Functions of the SOC team include, but are not limited to:</p><br />
<ol type="1"><br />
<li>Taking inventory of resources, to get a better understanding of the<br />
structure they are protecting.</li><br />
<li>Maintanence of the system, by constantly making updates and adding<br />
safeguards.</li><br />
<li>Monitoring the network for abnormalities with special tools.</li><br />
<li>Threat analysis of new attacks and vulnerabilities.</li><br />
<li>Responding to attacks, by acting as “first responders”. The SOC team<br />
will shut down and/or isolate endpoints, deleting files and lowering the<br />
impact as fast as possible.</li><br />
<li>Recovery of system stability and lost data. This may be done using<br />
backups, restarting endpoints or reconfiguring systems.</li><br />
<li>Logging all actions on the system, to be later used for analysis or<br />
forensics after an attack.</li><br />
<li>Investigating the root cause of an attack.</li><br />
<li>Auditing their own actions, to be in line with regulations of the<br />
organization, industry or governing body.</li><br />
</ol><br />
<p>https://www.trellix.com/en-us/security-awareness/operations/what-is-soc.html</p><br />
==CSIRT==<br />
<p>A CSIRT is a group that responds to security incidents when they<br />
occur. Key responsibilities of a CSIRT include:</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<ul><br />
===Creating and maintaining an incident response plan (IRP)===<br />
An incident response plan (IRP) is a set of written instructions for<br />
detecting, responding to and limiting the effects of an information<br />
security event. Incident response plans provide instructions for<br />
responding to many potential scenarios, including data breaches, denial<br />
of service/distributed denial of service attacks, firewall breaches,<br />
virus or malware outbreaks or insider threats. Without an incident<br />
response plan in place, organizations may either not detect the attack<br />
in the first place, or not follow proper protocol to contain the threat<br />
and recover from it when a breach is detected.<br />
<p>https://www.stratacore.com/incidentresponseplan</p></li><br />
===Investigating and analyzing incidents===<br />
CSIRTs are also involved in improvement activities. After major<br />
computer security incidents occur, or when incidents are not handled in<br />
a timely or effective manner, a CSIRT will generally perform a<br />
postmortem of the incident and its response. This postmortem will<br />
identify the strengths and weakness of the response effort. Such reviews<br />
can identify weaknesses and holes in systems, infrastructure defenses,<br />
or policies that allowed the incident to take place. It can also<br />
identify problems with communication channels, interfaces, and<br />
procedures that inhibited the efficient resolution of the reported<br />
problem.<br />
<p>https://www.cisa.gov/uscert/bsi/articles/best-practices/incident-management/defining-computer-security-incident-response-teams</p><br />
<br />
===Managing internal communications and updates during or immediately after incidents occur===<br />
===Communicating with employees, shareholders, customers, and the press about incidents as needed===<br />
<p>There are various services within the CSIRT Services Framework that<br />
address communications, as they relate to security operations and<br />
incident response services. Some of these include Information Security<br />
Incident Coordination, Crisis Management Support, Vulnerability<br />
Disclosure, Situational Awareness Communication, and Awareness Building,<br />
to name a few. Sharing information and communicating with the general<br />
public and/or your constituency is appropriate in many different<br />
scenarios. These can range from proactive communications to reactive<br />
communications. Each scenario may be unique, and careful consideration<br />
should be given to when to release information to the public and what<br />
information should be released.</p><br />
<br />
<p>https://resources.sei.cmu.edu/asset_files/Handbook/2021_002_001_651819.pdf</p><br />
<br />
===Remediating incidents===<br />
Threat remediation is a strong and capable tool for fighting the<br />
cyber security compromises. As the word ‘remedy’ suggests, remediation<br />
process involves the treatment of a security breach. With the<br />
remediation practices, your cyber security team is able to eliminate<br />
suspicious activities and malicious attacks in the form of malware,<br />
ransomware, phishing and such. Even if you ‘kill’ the suspicious<br />
activity, the attackers can remain in your systems. If you want to<br />
contaminate and end the problem for good, your remediation processes<br />
must involve the detection of the cause. <ref name="logsign">Logsign, "What-is-remediation-in-cyber-security". Available: https://www.logsign.com/blog/what-is-remediation-in-cyber-security/. [Accessed 28 Apr 2022].</ref><br />
<br />
===Recommending technology, policy, governance, and training changes after security incidents===<br />
After all these actions, the SCIRT must contribute to the development<br />
of better policies, practices and has to recommend improvements. They<br />
are not working in the vacuum and their work has to create new and<br />
better standards for cyber security. <ref name="exabeam">Exabeam, "CSIRT". Available: https://www.exabeam.com/incident-response/csirt/ [Accessed 28 APr 2022].</ref><br />
<br />
==CERT==<br />
<p>The term “computer emergency response team” was coined in 1988. In<br />
response to the Morris worm attack that impacted thousands of servers on<br />
the Internet, DARPA funded the formation of the Computer Emergency<br />
Response Team Coordination Center (CERT-CC) at Carnegie Mellon<br />
University. The goal of CERT-CC was to help protect the internet by<br />
collecting and disseminating information on critical security<br />
vulnerabilities. Several other countries formed similar centers using<br />
the same acronym (despite threats of legal action by Carnegie Mellon for<br />
trademark infringement). Now the term CERT refers to any emergency<br />
response team that deals with cyber threats. Many people use CERT-CC<br />
interchangeably with CSIRT, though the charter of a CERT is information<br />
sharing in order to help other response teams respond to threats against<br />
their own infrastructure.</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<p>In general, the designation of CERT is helpful in applying real-world<br />
solutions to various cybersecurity problems. They may be government<br />
contractors or employees of a major corporation. For example, the U.S.<br />
Computer Emergency Readiness Team (US-CERT) operates under the U.S.<br />
Department of Homeland Security.</p><br />
<p>https://www.techopedia.com/definition/31003/computer-emergency-response-team-cert</p><br />
<p>In Estonia CERT is designated as CERT-EE. It was established in 2006,<br />
as an organization responsible for the management of security incidents<br />
in .ee computer networks. It is also a national contact point for<br />
international co-operation in the field of IT security.</p><br />
<p>https://www.ria.ee/en/cyber-security/cert-ee.html</p><br />
===Difference between SOC/CSIRT/CERT===<br />
<p>How CSIRTs differ from CERTs and SOCs There are overlapping<br />
responsibilities between a community emergency response team (CERT),<br />
computer security incident response team (CSIRT), and security<br />
operations center (SOC). To add to this confusion, frequently, the terms<br />
CERT and CSIRT are used interchangeably, despite the important<br />
differences.</p><br />
<figure><br />
<img src="images/image3.png" alt="Overlapping in images/image3.png" /><br />
<figcaption aria-hidden="true">Overlapping in<br />
images/image3.png</figcaption><br />
</figure><br />
==Understand the primary roles and characteristics of a CERT, CSIRT, and SOC.==<br />
<p>So, using strict definitions, a CERT collects and disseminates<br />
security information, typically for the benefit of a country or an<br />
industry. A CSIRT is a cross-functional team that responds to incidents<br />
on behalf of a country or an organization. A SOC is where a country or<br />
organization monitors and defends its network, servers, applications,<br />
and endpoints.</p><br />
<figure><br />
<img src="images/image4.png" alt="table of explanation images/image4" /><br />
<figcaption aria-hidden="true">table of explanation<br />
images/image4</figcaption><br />
</figure><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
==Future==<br />
<p>And the Cyber security problem is only getting bigger. According to a<br />
report published by Accenture, the number of cyber security breaches<br />
increased by 11 percent from 2017 to 2018. The cost of such breaches is<br />
astronomical–about $600 billion worldwide, according to the Economic<br />
Impact of Cybercrime report.</p><br />
<p>https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me</p><br />
<p>Job projections for cybersecurity are staggering. The Bureau of Labor<br />
Statistics in US predicts that careers in the cybersecurity field will<br />
grow by 32% by 2028. That makes cybersecurity one of the top 10<br />
fastest-growing jobs in the country. In the United States alone, jobs<br />
for Information Security Analysts are expected to grow by 15% by<br />
2024.</p><br />
<p>https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</p><br />
<p>Most likely this trend is also similar in other countries.</p><br />
<p>When checking Estonian job portals, there is a constant need for<br />
people for cyber security related positions. Also, linkedin search gives<br />
approximately 30 vacancies immediately. There are banks, logistics<br />
companies, e-shops, and software producers.</p><br />
<p>https://ee.linkedin.com/jobs/cyber-security-jobs?countryRedirected=1&amp;position=1&amp;pageNum=0</p><br />
<p>Trends that affect companies create need for constant cyber security<br />
services. Increasing number of home/remote offices require secure<br />
corporate networks and security of remote devices. One example is from<br />
this year, when sloppy remote desktop set-up paralyzed systems of 17<br />
companies.</p><br />
<p>https://www.aripaev.ee/uudised/2022/04/20/ria-lohakas-kaugtoolaua-seadistus-halvas-martsis-vahemalt-17-juhul-ettevotete-it-susteemid</p><br />
<p>Also, no service can exists without robust infrastructure - servers,<br />
databases, applications. As all previously mentioned devices and<br />
services are at constant scanning and surveillance. So, the breach<br />
detection and immediate action demands 24/7 services. Even if lot of<br />
things could be automated, there is a need for human specialists (at<br />
least, at the moment). Third growing field is also a forensic<br />
investigation, as every attack must be investigated in order to be ready<br />
to repel next attacks. So data recovery and evidence collection is<br />
another important field of work that need skilled and professional<br />
workers.</p><br />
<p>Even, if the specifics of the entity, be it CSIRT, CERT or SOC, are<br />
different, the fundamentals of the work are the same. Professional<br />
knowledge of the networks, operational systems, hardware, scripting, and<br />
several other wider IT related knowledge is needed. As there is no<br />
single way to reach to it, every single person can find one’s strongest<br />
sides and develop them with knowledge of weaker side, in order to know,<br />
when to as for help.</p><br />
<br />
</body><br />
</html></div>Mavaldhttps://wiki.itcollege.ee/index.php?title=Hiring_a_Cyber_Security_Incident_Analyst&diff=142184Hiring a Cyber Security Incident Analyst2022-05-01T14:49:54Z<p>Mavald: /* Remediating incidents */</p>
<hr />
<div>==A Cyber Security Incident Analyst==<br />
<br />
[[File:image1.png|600px|thumb|Job advertisement <ref>"Job Advertisement". Available at https://www.projectpeople.com/jobs/</ref>]]<br />
===Cyber security incident analyst in SOC/CSIRT/CERT===<br />
This article delves into the job title of Cyber Security Incident<br />
Analyst and provides an overview of the acronyms SOC/CSIRT/CERT. A brief<br />
history of the job is discussed here, as well as a possible career path,<br />
education, experience, and other characteristics required for work in<br />
computer security-related organizations. The article also provides a<br />
brief history of SOC/CSIRT/CERT, as well as a comparison of their<br />
differences and similarities.<br />
===Cyber Security Incident Analyst Skill Set===<br />
What skill set is expected from the Cyber Security Incident Analyst? Below written lines are taken from the same job advertisement depicted<br />
on the left side of this article:<br />
As a Security Incident Analyst your responsibilities will include:<br />
<ul><br />
<li>Continuous monitoring of security tooling</li><br />
<li>Performing regular and ad-hoc vulnerability assessments</li><br />
<li>Carrying out ‘spot checks’</li><br />
<li>Reporting vulnerabilities to the PVG via the alerts system</li><br />
<li>Maintaining and documenting logging systems</li><br />
<li>Developing centralized logging, reporting and intelligence<br />
platforms</li><br />
<li>‘Light touch’ penetration testing with open source tooling<br />
(Metasploit)</li><br />
</ul><br />
Knowledge &amp; Experience required:<br />
<ul><br />
<li>SOC, CSIRT or CERT operational environment experience</li><br />
<li>Windows / Linux experience</li><br />
<li>TCP /IP networking protocol knowledge</li><br />
<li>Experience reviewing and analyzing Security Events from various<br />
monitoring and logging sources</li><br />
<li>Experience in website and web application security assessment or<br />
penetration testing</li><br />
<li>Experience of using Metasploit</li><br />
<li>Scripting knowledge using BASH, Python, Perl, Ruby</li><br />
<li>Skills in Host and Network Forensics</li><br />
</ul><br />
As one can see the description of the duties is wide and also the<br />
knowledge and experience that is required is noteworthy. So, where to<br />
start to find out the way to get this kind of knowledge and<br />
expertize.<br />
===Possible career path===<br />
Next part of the paper is aiming to depict a possible ways, how to<br />
develop oneself, and move along the career pathway in cybersecurity<br />
field. Topics of development, education, experience and certification<br />
are covered.<br />
[[File:analystimage2.png|1000px|thumb|Career path <ref>"Possible Career Path". Available at https://www.cyberseek.org/pathway.html</ref>]]<br />
<br />
===Junior/Senior===<br />
Start with an entry-level job in IT. Hands-on experience is often the<br />
most effective way to prepare for certification exams. Start<br />
accumulating work experience with an entry-level role as a cybersecurity<br />
analyst. Many cybersecurity professionals start off in more general IT<br />
roles. The skills, practices, and technologies you’ll use as a<br />
cybersecurity professional will continue to evolve along with computer<br />
and network technology. The desire to learn, ability to problem solve,<br />
and attention to detail will serve you well in this field. Other, more<br />
technical skills and technologies to learn include:<ref name="certification">Popular Cyber Security Certificates [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications [Accessed 25 April 2022].</ref><br />
<br />
====SIEM tools (security information and event management)====<br />
Security Information and Event Management (SIEM) is a set of tools<br />
and services offering a holistic view of an organization’s information<br />
security. SIEM works by combining two technologies:<br />
<li>Security information management (SIM), which collects data from log<br />
files for analysis and reports on security threats and events, and</li><br />
<li>security event management (SEM), which conducts real-time system<br />
monitoring, notifies network admins about important issues and<br />
establishes correlations between security events. There are a number of<br />
security information and event management solutions on the market.<br />
ArcSight ESM, IBM QRadar and Splunk are among the most popular. <ref name="SIEM">Application security, SIEM [Online]. Available: https://www.imperva.com/learn/application-security/siem/. [Accessed 27 4 2022].</ref></li><br />
<br />
====Firewalls, Intrusion Detection Systems (IDS), and Intrusion Prevention Systems(IPS)====<br />
Firewalls can be two types, hardware and software firewalls. Software<br />
firewall is a firewall that is installed on a computer or server, and<br />
tasked with network security. It works with a wide variety of other<br />
technology security solutions to provide more robust and cohesive<br />
security for enterprises of all sizes. When a software firewall is<br />
installed on a server, it opens up like an umbrella of protection over<br />
all other computers connected to the network. It is able to monitor both<br />
incoming and outgoing traffic for potential risk or suspicious user<br />
behavior, and also makes setting security policies much easier, faster<br />
and more flexible. Hardware firewall is positioned between the network<br />
and devices, allowing traffic to funnel through the firewall for a close<br />
inspection and analysis. A hardware firewall, a term often<br />
interchangeable with network or next-generation firewall, protects the<br />
network gateways for an enterprise. Hardware firewall is physical<br />
hardware, installed between network elements and connected devices, and<br />
is tasked with filtering traffic for cyber threat to the network or<br />
devices. Filtering out unauthorized or suspicious users based on traffic<br />
analysis is one of the biggest benefits of hardware firewall. <ref name="sangfor">Sangfor, "What is Software Firewall? Difference between Hardware Firewall and Software Firewall, [Online]. Available: https://www.sangfor.com/blog/cybersecurity/what-is-software-firewall-difference-between-hardware-firewall-and-software-firewall [Accessed 26 4 2022].</ref><br />
<br />
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems<br />
(IPS) are both parts of the network infrastructure. IDS/IPS compare<br />
network packets to a cyberthreat database containing known signatures of<br />
cyberattacks — and flag any matching packets. IDS doesn’t alter the<br />
network packets in any way, whereas IPS prevents the packet from<br />
delivery based on the contents of the packet, much like how a firewall<br />
prevents traffic by IP address. <ref name="Varonis">Varonis, "What is Software Firewall? IDS vs. IPS: What is the Difference?, [Online]. Available: https://www.varonis.com/blog/ids-vs-ips [Accessed 26 4 2022].</ref><br />
<br />
====Digital forensics====<br />
Digital forensics is a branch of forensic science that focuses on<br />
identifying, acquiring, processing, analyzing, and reporting on data<br />
stored electronically. Electronic evidence is a component of almost all<br />
criminal activities and digital forensics support is crucial for law<br />
enforcement investigations. Electronic evidence can be collected from a<br />
wide array of sources, such as computers, smartphones, remote storage,<br />
unmanned aerial systems, shipborne equipment, and more.<ref name="interpol">Interpol, "Digital forensics". Available: https://www.interpol.int/How-we-work/Innovation/Digital-forensics. [Accessed 28 4 2022].</ref> <br />
Investigative process of digital forensics can be divided into several stages. There are four major stages: preservation, collection,<br />
examination, and analysis. All these four stages need a deep understanding of computers, technology across a broad spectrum, and cybersecurity principles and<br />
practices, a working knowledge of computers, networks, and coding, in-depth investigative abilities, critical-thinking skills and analytical talent the ability to effectively communicate and work with a<br />
wide range of people. <ref name="ecpi">"Digital forensics". Available: https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me. [Accessed 26 4 2022].</ref><br />
<br />
====Mobile device management====<br />
Mobile device management (MDM) is software that allows IT<br />
administrators to control, secure and enforce policies on smartphones,<br />
tablets and other endpoints. Mobile device management software emerged<br />
in the early 2000s as a way to control and secure the personal digital<br />
assistants and smartphones that business workers began to use. The<br />
consumer smartphone boom that started with the launch of the Apple<br />
iPhone in 2007 led to the bring your own device (BYOD) trend, which<br />
fueled further interest in MDM.<ref name="techtarget">Techtarget, "Mobile Device Management". Available: https://www.techtarget.com/searchmobilecomputing/definition/mobile-device-management [Accessed 27 4 2022].</ref><br />
<br />
====Data management====<br />
Sometimes the data management is neglected, but this part has a<br />
crucial role when learning for good cyber security practices. Majority<br />
of cyber security programs include a special courses on data management.<br />
Data management is a method of organizing and maintaining data processes<br />
that are required in almost every business operations. The benefits of<br />
data management can be found accounting, statistics, logistics planning<br />
and other disciplines including corporate computing.<ref name="GlobalUni">Global Universities, "MSc Data Management and Cyber Security". Available: https://globaluniversities.in/msc-data-management-cyber-security. [Accessed 26 Apr 2022].</ref><br />
Data governance (and management) play a fundamental role in<br />
protecting an organization’s data. Ensuring that the right people have<br />
the right access and that appropriate security controls are in place to<br />
protect each system or service, based on the criticality or sensitivity<br />
of the data sets these contain. <ref name="CyberMagazine">Cyber Security Magazine, "The Role of Data Governance in Cybersecurity". Available: https://cybersecurity-magazine.com/the-role-of-data-governance-in-cybersecurity/?utm_source=rss&amp;utm_medium=rss&amp;utm_campaign=the-role-of-data-governance-in-cybersecurity. [Accessed 26 Apr 2022].</ref><br />
<br />
====Application security development====<br />
Application security describes security measures at the application<br />
level that aim to prevent data or code within the app from being stolen<br />
or hijacked. It encompasses the security considerations that happen<br />
during application development and design, but it also involves systems<br />
and approaches to protect apps after they get deployed. Application<br />
security may include hardware, software, and procedures that identify or<br />
minimize security vulnerabilities.<br />
https://www.vmware.com/topics/glossary/content/application-security.html<br />
Application security development is important to ensure that your<br />
application is free from coding errors and bugs. And controls the risk<br />
and helps safeguard against security vulnerabilities. Application<br />
security development is the process of making applications more secure<br />
by finding and fixing security vulnerabilities. This is often done by<br />
enforcing software security best practices and using application<br />
security testing tools.<br />
<p>https://www.perforce.com/blog/kw/application-security-development-best-practices</p><br />
<br />
====Audit and compliance knowledge====<br />
A cyber security audit is designed to be a comprehensive review and<br />
analysis of your business’s IT infrastructure. It identifies threats and<br />
vulnerabilities, exposing weaknesses and high-risk practices.<br />
Regulations such as the EU GDPR (General Data Protection Regulation) can<br />
impose hefty penalties in the event of a breach that results in<br />
exploited data. A cyber security audit will help mitigate the<br />
consequences of a breach and demonstrate that your organization has<br />
taken the necessary steps to protect client and company data.</p><br />
<p>https://cyforsecure.co.uk/services/cyber-assessment/cyber-security-audit/</p><br />
<p>Cybersecurity compliance is the organizational risk management method<br />
aligned with pre-defined security measures &amp; controls on how data<br />
confidentiality is ensured by its administrational procedures.</p><br />
<p>https://nordlayer.com/blog/cybersecurity-compliance-everything-you-need-to-know/</p><br />
<p>All needed skills are developed through courses and<br />
certification.</p></li><br />
</ul><br />
===Entry-Level Incident Response Positions===<br />
<p>It is not always possible to advance to the position of incident<br />
responder in a straight line. Many professionals advance from entry- to<br />
mid-level positions before becoming a real incident responder or a<br />
member of a computer emergency response team (CERT).<br /><br />
These are some examples:</p><br />
<ul><br />
<li><h5 id="network-administrator">Network administrator</h5><br />
<p>This position’s experience will help potential incident responders<br />
develop networking skills. Attention to detail, as well as the ability<br />
to sift through system configurations, site layouts, and general network<br />
and communication setups, are essential in this field.</p></li><br />
<li><h5 id="system-administrator">System administrator</h5><br />
<p>Another crucial beginning point for an incident responder is to learn<br />
how to manage resources inside your organization as well as user<br />
behavior. Understanding the potential damage that users, inadequate<br />
security setups, and ineffective IT policies and procedures can cause on<br />
your network can provide prospective candidates with insight into the<br />
human component of an incident.</p></li><br />
<li><h5 id="security-administrator">Security administrator</h5><br />
<p>In such a position, basic hacking skills, penetration testing, and<br />
intrusion detection are all learned, which are crucial incident<br />
responder skills when trying to replicate a breach or attack.<br />
Understanding the paths a cybercriminal will take when attempting to<br />
damage or obtain access to a system can greatly simplify the work of<br />
reverse engineering the incident.</p></li><br />
</ul><br />
<p>https://resources.infosecinstitute.com/topic/incident-responder-career-roadmap-entry-level-executive/</p><br />
<h3 id="mid-level-incident-response-positions">Mid-Level Incident<br />
Response Positions</h3><br />
<ul><br />
<li><h5<br />
id="computer-security-incident-response-team-csirt-engineer">Computer<br />
security incident response team (CSIRT) engineer</h5></li><br />
<li><h5 id="cyber-incident-responder">Cyber incident responder</h5></li><br />
<li><h5 id="incident-response-engineer">Incident response<br />
engineer</h5></li><br />
</ul><br />
<p>While each of these positions is different, they generally require<br />
very similar skills and characteristics in a candidate. At this level,<br />
personal characteristics such as problem solving, time management, and<br />
even presentation skills become more crucial as one’s career evolves<br />
into a management-facing role.</p><br />
<p>Technical skills include the ability to identify and minimize threats<br />
while maintaining communication with management and the rest of your<br />
team. Data analysis and evidence gathering become increasingly crucial,<br />
and the circumstances in which your services are deployed get more<br />
serious.</p><br />
<p>Problem-solving skills are crucial at this level of incident<br />
response, and as the stakes rise, so does the pressure in each<br />
situation. At this level, programming abilities are essential since<br />
incident responders may be needed to reverse engineer malicious code or<br />
even create patches for vulnerable network applications or services.</p><br />
<p>https://www.coursera.org/articles/popular-cybersecurity-certifications</p><br />
<h3 id="senior-level-incident-response-positions">Senior-Level Incident<br />
Response Positions</h3><br />
<ul><br />
<li><h5 id="intrusion-detection-specialist">Intrusion detection<br />
specialist:</h5></li><br />
</ul><br />
<p>A CISSP certification might help a potential candidate in preparing<br />
for the profession. The role of an intrusion detection specialist is to<br />
find and stop any unwanted communications.</p><br />
<ul><br />
<li><h5 id="incident-manager">Incident manager:</h5></li><br />
</ul><br />
<p>Expected to plan, oversee, manage, and supervise all incident<br />
response team actions. Is in charge of reporting all current events to<br />
senior management and stakeholders, as well as acting as the technical<br />
lead on active incidents for incident responders. Prepares threat and<br />
impact assessments and reports them known to management.</p><br />
<p>https://www.coursera.org/articles/popular-cybersecurity-certifications</p><br />
<br />
==Certificates== <br />
There is a vast number of different certificates and the road map to<br />
being a certified professional could be very different<ref name="Coursera">Coursera, "10 Popular Cybersecurity Certifications [2022 Updated]," [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications. [Accessed 30 Apr 2022].</ref><br />
<ref name="NICCS">NICCS, "Cybersecurity Certifications," [Online]. Available: hhttps://niccs.cisa.gov/about-niccs/cybersecurity-certifications. [Accessed 30 Apr 2022].</ref> . One possible<br />
approach is to start with basic certificates from the different branches<br />
of service and move to more specific and demanding focused<br />
certification. Also, some jobs require certain clearances, either from<br />
industry, or from the government. One small selection of different<br />
possible certificates is brought out in following paragraphs.<br />
<br />
Security+ is a CompTIA certification that is considered a basic cert<br />
among cybersecurity professionals. It covers the topics of risk<br />
management and threat assessment.<br />
Network+ is also offered by CompTIA this certification (like the name<br />
implies) focuses on networking infrastructure and operations. It is<br />
considered a foundational certification.<br />
The Certified Information Systems Security Professional (CISSP) is a<br />
more advanced certification designed for cybersecurity professionals<br />
with at least five years of work experience. The certification covers<br />
topics such as architecture, engineering, and management.</p><br />
The Certified Ethical Hacker (CEH) certification is also considered a<br />
more advanced cert because it generally requires that applicants have<br />
multiple years of work experience. The goal of an ethical hacker<br />
certification is to be able to understand how cyber attacks unfold in<br />
order to improve threat assessment and mitigation skills.<ref name="cyberguide">Cybersecurity Guide, "How to become a cybersecurity specialist", [Online]. Available: https://cybersecurityguide.org/careers/security-specialist/. [Accessed 27 April 2022].</ref><br />
This is definitely not all, when one looks for more information, following link could be searched, to get more in depth knowledge about<br />
different possibilities. Hereby, with the help of this matrix a possible taxonomy of different 436 listed certificates in branches are<br />
presented.<ref name="Pauljeremy">"Cybersecurity Roadmap," [Online]. Available: https://pauljerimy.com/2020/10/12/scr-oct-2020-update/. [Accessed 30 Apr 2022].</ref><br />
<br />
[[File:analystimage5.png|1000px|thumb|Certificate matrix <ref>"Certification roadmap". Available at https://pauljerimy.com/security-certification-roadmap</ref>]]<br />
<br />
=== Communication and Network Security===<br />
Communication and network security covers the ability to secure<br />
communication channels and networks. Topics include secure and converges<br />
protocols, wireless networks, cellular networks, hardware operations<br />
(warranty and redundant power), and third-party connectivity. IP<br />
networking are also included in this domain.<br />
===Identity and Access Management===<br />
The identity and access management domain covers the attacks that<br />
target the human gateway to gain access to data. Other topics include<br />
ways to identify users with rights to access the information and<br />
servers. Identity and access management covers the topics of<br />
applications, Single sign-on authentication, privilege escalation,<br />
Kerberos, rule-based or risk-based access control, proofing and<br />
establishment of identity.<br />
===Security Architecture and Engineering===<br />
The security architecture and engineering domain covers important<br />
topics concerning security engineering plans, designs and principles,<br />
Topics include assessing and mitigating information system<br />
vulnerabilities, fundamental concepts of security models and security<br />
architectures in critical areas like access control. Cloud systems,<br />
cryptography, system infiltrations (ransomware, fault-injection and<br />
more) and virtualized systems are also covered in this domain.<br />
===Asset Security===<br />
The Asset Security domain deals with the issues related to the<br />
collection, storage, maintenance, retention and destruction of data. It<br />
also covers knowledge of different roles regarding data handling (owner,<br />
controller and custodian) as well as data protection methods and data<br />
states. Other topics include resource provision, asset classification<br />
and data lifecycle management.<br />
===Security and Risk Management===<br />
The security and risk management domain covers general on skills<br />
related to the implementation of user awareness programs as well as<br />
security procedures. Emphasis is also placed on risk management<br />
concerning the acquisition of new services, hardware and software<br />
(supply chain). Other skills include social engineering defense<br />
mechanisms.<br />
===Security Assessment and Testing===<br />
The security assessment and testing domain deals with all the<br />
techniques and tools used to find system vulnerabilities, weaknesses and<br />
potential areas of concern not addressed by security procedures and<br />
policies. Attack simulations, vulnerability assessment, compliance<br />
checks, and ethical disclosure also fall under this domain.<br />
===Software Security===<br />
The software development security domain deals with implementing<br />
software-based security protocols within environment for which the IT<br />
professional is responsible. Risk analysis, vulnerability identification<br />
and auditing of source codes are all covered in this subset. Additional<br />
topics include software-designed security, maturity models, development<br />
methodologies, open-source and third-party development security.<br />
===Security operations===<br />
The security operations domain covers topics ranging from<br />
investigations and digital forensic to detection and intrusion<br />
prevention tools, sandboxing and firewalls. Topics include user and<br />
entity behavior analytics, threat intelligence (threat hunting and<br />
threat feeds) log management, artifacts (mobile, computer and network),<br />
machine learning and AI-based tools, penetration testing, and<br />
exploitation development. These for sub-domains are lister here.</p><br />
<li>Forensics</li><br />
<li>Incident Handling</li><br />
<li>Penetration Testing</li><br />
<li>Exploitation</li><br />
<br />
==Education==<br />
<p>The entry level monitoring specialist is hired by Estonian<br />
Information System Authority even if there is no formal IT education,<br />
but readiness to learn and moderate knowledge of different operation<br />
systems is enough to start the career.</p><br />
<p>https://www.cv.ee/en/vacancy/792782/riigi-infosusteemi-amet/seirespetsialist-tule-eesti-kuberruumi-valvuriks</p><br />
<p>Nevertheless, like most other high qualification careers jobs falling<br />
under the cybersecurity specialist category require some form of formal<br />
education. However, since cybersecurity specialist jobs can fall across<br />
a wide spectrum of job descriptions and responsibilities, it is possible<br />
to obtain a specialist job after completing many levels of different<br />
computer related education.</p><br />
<p>If one is looking for a cybersecurity related education, for example<br />
in EU, 137 courses/programs could be found that relate to keyword IT or<br />
cybersecurity.</p><br />
<p>https://www.enisa.europa.eu/topics/cybersecurity-education/education-map/education-courses</p><br />
<p>Also, there is a great amount of discussion, if cuber security<br />
professional should have a degree or would be certification just enough.<br />
One interesting table is produces by Franklin University that compares<br />
benefits and/or drawbacks of each type of credential.</p><br />
<figure><br />
<img src="images/image11.png" alt="Comparison MSc vs certificate" /><br />
<figcaption aria-hidden="true">Comparison MSc vs<br />
certificate</figcaption><br />
</figure><br />
<p>Certifications are generally good for people with little practical<br />
experience because they are known quantities in the industry and can<br />
help you get your foot in the door. They set a minimum knowledge bar.<br />
But some certifications are viewed more favorably than others.<br />
Certifications with renewal requirements are viewed better by hiring<br />
managers, but they also more costly in the long run because of the need<br />
for continuing education. Certifications are also good for showing<br />
in-depth expertise in a specialization within cybersecurity. Depending<br />
on your career goals, it may be advantageous to have a master’s<br />
degree—which shows your breadth of knowledge, critical thinking and<br />
leadership skills—and a certificate—which shows specific skill<br />
competency.</p><br />
<p>https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</p><br />
<p>As IT (Cyber) Security is still a relatively young discipline,<br />
universities and colleges are still figuring out which is the best<br />
approach for their degrees. Study programmes and curricula in Cyber<br />
Security are different. In general, here are the duration of Cyber<br />
Security degrees:</p><br />
<ul><br />
<li><p>Bachelor’s degrees in Cyber Security take 3 or 4 years in most<br />
countries.</p></li><br />
<li><p>Master’s courses in Cyber Security take between 1-2 years to<br />
complete.</p></li><br />
<li><p>PhD programmes in Cyber Security last 3-5 years. Some only take 1<br />
or 2 years, but they are less common.</p><br />
<p>https://www.mastersportal.com/articles/2722/why-you-should-study-a-cyber-security-degree-in-2022.html</p></li><br />
</ul><br />
<p>Generalization could me made that on bachelor level the general<br />
knowledge about the cyber issues are obtained. On master level the<br />
specialization courses are taken and the person can choose more specific<br />
topics to study. It is on master level where strengths of the cyber<br />
specialist can be developed further and up-do date knowledge obtained in<br />
specifics. PhD is serious science and involves teaching, lot of<br />
scientific work and writing for publications.</p><br />
==Salary==<br />
<p>Even if the salary can be very different, compared to the skills and<br />
experience, an generalization can be made. Cyber Security professionals<br />
in CSIRT, and in other entities earn quite well, from the start. First,<br />
some comparison from the United States. The average CSIRT analyst salary<br />
in the USA is $97,500 per year or $50 per hour. Entry level positions<br />
start at $48,875 per year while most experienced workers make up to<br />
$135,373 per year.</p><br />
<p>https://www.talent.com/salary?job=csirt+analyst</p><br />
<p>There are multiple positions you can occupy in this field. They have<br />
in common great salaries and high demand for technical skills, attention<br />
to details, problem-solving mentality, and the ability to analyze risks.<br />
Here are the average annual salaries in the United States, according to<br />
Payscale:</p><br />
<p>https://www.payscale.com/</p><br />
<ul><br />
<li><p>Cryptographer – 100,000 USD</p></li><br />
<li><p>Information Security Officer – 91,000 USD</p></li><br />
<li><p>Security Assessor – 90,000 USD</p></li><br />
<li><p>Security Engineer – 88,000 USD</p></li><br />
<li><p>Penetration Tester – 81,000 USD</p></li><br />
<li><p>Forensics Expert – 71,000 USD</p></li><br />
<li><p>Security Administrator – 65,000 USD</p><br />
<p>https://www.mastersportal.com/articles/2722/why-you-should-study-a-cyber-security-degree-in-2022.html</p><br />
<p>When looking into salaries in Estonia, one can find that there is a<br />
discussion that private sector is taking a toll from the public sector,<br />
and that the salaries in important agencies, as Information System<br />
Authority loose their employees to the better paid positions in private<br />
sector.</p><br />
<p>https://digi.geenius.ee/rubriik/uudis/kui-palju-riigi-jaoks-olulised-it-tootajad-tegelikult-palka-saavad/<br />
https://tehnika.postimees.ee/6887428/riigi-it-tootajate-palgamaarad-kasvasid</p><br />
<p>But there is also a different view that average private sector worker<br />
could be hired as a top specialist in public sector and then the payment<br />
is higher. Nevertheless, it seems that the average payment in cyber<br />
security sector is any way higher that in other parts of the<br />
e-services.</p><br />
<p>https://digi.geenius.ee/rubriik/uudis/5000-eurostest-palkadest-it-tootajad-saavadki-palju-palka/</p></li><br />
</ul><br />
==SOC==<br />
<p>A SOC is a facility where an organization’s network, applications,<br />
and endpoints are monitored and defended. The term was adapted from<br />
network operations centers (NOCs), where large telecommunication or<br />
corporate networks are monitored. When network security became more of a<br />
concern, security teams were formed within the NOCs, and eventually spun<br />
off into larger organizations of their own as the responsibilities of<br />
security teams grew increasingly complex and specialized. The security<br />
staff working in a security operations center are often called the SOC<br />
team.</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<p>Functions of the SOC team include, but are not limited to:</p><br />
<ol type="1"><br />
<li>Taking inventory of resources, to get a better understanding of the<br />
structure they are protecting.</li><br />
<li>Maintanence of the system, by constantly making updates and adding<br />
safeguards.</li><br />
<li>Monitoring the network for abnormalities with special tools.</li><br />
<li>Threat analysis of new attacks and vulnerabilities.</li><br />
<li>Responding to attacks, by acting as “first responders”. The SOC team<br />
will shut down and/or isolate endpoints, deleting files and lowering the<br />
impact as fast as possible.</li><br />
<li>Recovery of system stability and lost data. This may be done using<br />
backups, restarting endpoints or reconfiguring systems.</li><br />
<li>Logging all actions on the system, to be later used for analysis or<br />
forensics after an attack.</li><br />
<li>Investigating the root cause of an attack.</li><br />
<li>Auditing their own actions, to be in line with regulations of the<br />
organization, industry or governing body.</li><br />
</ol><br />
<p>https://www.trellix.com/en-us/security-awareness/operations/what-is-soc.html</p><br />
==CSIRT==<br />
<p>A CSIRT is a group that responds to security incidents when they<br />
occur. Key responsibilities of a CSIRT include:</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<ul><br />
===Creating and maintaining an incident response plan (IRP)===<br />
An incident response plan (IRP) is a set of written instructions for<br />
detecting, responding to and limiting the effects of an information<br />
security event. Incident response plans provide instructions for<br />
responding to many potential scenarios, including data breaches, denial<br />
of service/distributed denial of service attacks, firewall breaches,<br />
virus or malware outbreaks or insider threats. Without an incident<br />
response plan in place, organizations may either not detect the attack<br />
in the first place, or not follow proper protocol to contain the threat<br />
and recover from it when a breach is detected.<br />
<p>https://www.stratacore.com/incidentresponseplan</p></li><br />
===Investigating and analyzing incidents===<br />
CSIRTs are also involved in improvement activities. After major<br />
computer security incidents occur, or when incidents are not handled in<br />
a timely or effective manner, a CSIRT will generally perform a<br />
postmortem of the incident and its response. This postmortem will<br />
identify the strengths and weakness of the response effort. Such reviews<br />
can identify weaknesses and holes in systems, infrastructure defenses,<br />
or policies that allowed the incident to take place. It can also<br />
identify problems with communication channels, interfaces, and<br />
procedures that inhibited the efficient resolution of the reported<br />
problem.<br />
<p>https://www.cisa.gov/uscert/bsi/articles/best-practices/incident-management/defining-computer-security-incident-response-teams</p><br />
<br />
===Managing internal communications and updates during or immediately after incidents occur===<br />
===Communicating with employees, shareholders, customers, and the press about incidents as needed===<br />
<p>There are various services within the CSIRT Services Framework that<br />
address communications, as they relate to security operations and<br />
incident response services. Some of these include Information Security<br />
Incident Coordination, Crisis Management Support, Vulnerability<br />
Disclosure, Situational Awareness Communication, and Awareness Building,<br />
to name a few. Sharing information and communicating with the general<br />
public and/or your constituency is appropriate in many different<br />
scenarios. These can range from proactive communications to reactive<br />
communications. Each scenario may be unique, and careful consideration<br />
should be given to when to release information to the public and what<br />
information should be released.</p><br />
<br />
<p>https://resources.sei.cmu.edu/asset_files/Handbook/2021_002_001_651819.pdf</p><br />
<br />
===Remediating incidents===<br />
Threat remediation is a strong and capable tool for fighting the<br />
cyber security compromises. As the word ‘remedy’ suggests, remediation<br />
process involves the treatment of a security breach. With the<br />
remediation practices, your cyber security team is able to eliminate<br />
suspicious activities and malicious attacks in the form of malware,<br />
ransomware, phishing and such. Even if you ‘kill’ the suspicious<br />
activity, the attackers can remain in your systems. If you want to<br />
contaminate and end the problem for good, your remediation processes<br />
must involve the detection of the cause. <ref name="logsign">Logsign, "What-is-remediation-in-cyber-security". Available: https://www.logsign.com/blog/what-is-remediation-in-cyber-security/. [Accessed 28 Apr 2022].</ref><br />
<br />
===Recommending technology, policy, governance, and training changes after security<br />
incidents===<br />
After all these actions, the SCIRT must contribute to the development<br />
of better policies, practices and has to recommend improvements. They<br />
are not working in the vacuum and their work has to create new and<br />
better standards for cyber security. <ref name="exabeam">Exabeam, "CSIRT". Available: https://www.exabeam.com/incident-response/csirt/ [Accessed 28 APr 2022].</ref><br />
<br />
==CERT==<br />
<p>The term “computer emergency response team” was coined in 1988. In<br />
response to the Morris worm attack that impacted thousands of servers on<br />
the Internet, DARPA funded the formation of the Computer Emergency<br />
Response Team Coordination Center (CERT-CC) at Carnegie Mellon<br />
University. The goal of CERT-CC was to help protect the internet by<br />
collecting and disseminating information on critical security<br />
vulnerabilities. Several other countries formed similar centers using<br />
the same acronym (despite threats of legal action by Carnegie Mellon for<br />
trademark infringement). Now the term CERT refers to any emergency<br />
response team that deals with cyber threats. Many people use CERT-CC<br />
interchangeably with CSIRT, though the charter of a CERT is information<br />
sharing in order to help other response teams respond to threats against<br />
their own infrastructure.</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<p>In general, the designation of CERT is helpful in applying real-world<br />
solutions to various cybersecurity problems. They may be government<br />
contractors or employees of a major corporation. For example, the U.S.<br />
Computer Emergency Readiness Team (US-CERT) operates under the U.S.<br />
Department of Homeland Security.</p><br />
<p>https://www.techopedia.com/definition/31003/computer-emergency-response-team-cert</p><br />
<p>In Estonia CERT is designated as CERT-EE. It was established in 2006,<br />
as an organization responsible for the management of security incidents<br />
in .ee computer networks. It is also a national contact point for<br />
international co-operation in the field of IT security.</p><br />
<p>https://www.ria.ee/en/cyber-security/cert-ee.html</p><br />
===Difference between SOC/CSIRT/CERT===<br />
<p>How CSIRTs differ from CERTs and SOCs There are overlapping<br />
responsibilities between a community emergency response team (CERT),<br />
computer security incident response team (CSIRT), and security<br />
operations center (SOC). To add to this confusion, frequently, the terms<br />
CERT and CSIRT are used interchangeably, despite the important<br />
differences.</p><br />
<figure><br />
<img src="images/image3.png" alt="Overlapping in images/image3.png" /><br />
<figcaption aria-hidden="true">Overlapping in<br />
images/image3.png</figcaption><br />
</figure><br />
==Understand the primary roles and characteristics of a CERT, CSIRT, and SOC.==<br />
<p>So, using strict definitions, a CERT collects and disseminates<br />
security information, typically for the benefit of a country or an<br />
industry. A CSIRT is a cross-functional team that responds to incidents<br />
on behalf of a country or an organization. A SOC is where a country or<br />
organization monitors and defends its network, servers, applications,<br />
and endpoints.</p><br />
<figure><br />
<img src="images/image4.png" alt="table of explanation images/image4" /><br />
<figcaption aria-hidden="true">table of explanation<br />
images/image4</figcaption><br />
</figure><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
==Future==<br />
<p>And the Cyber security problem is only getting bigger. According to a<br />
report published by Accenture, the number of cyber security breaches<br />
increased by 11 percent from 2017 to 2018. The cost of such breaches is<br />
astronomical–about $600 billion worldwide, according to the Economic<br />
Impact of Cybercrime report.</p><br />
<p>https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me</p><br />
<p>Job projections for cybersecurity are staggering. The Bureau of Labor<br />
Statistics in US predicts that careers in the cybersecurity field will<br />
grow by 32% by 2028. That makes cybersecurity one of the top 10<br />
fastest-growing jobs in the country. In the United States alone, jobs<br />
for Information Security Analysts are expected to grow by 15% by<br />
2024.</p><br />
<p>https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</p><br />
<p>Most likely this trend is also similar in other countries.</p><br />
<p>When checking Estonian job portals, there is a constant need for<br />
people for cyber security related positions. Also, linkedin search gives<br />
approximately 30 vacancies immediately. There are banks, logistics<br />
companies, e-shops, and software producers.</p><br />
<p>https://ee.linkedin.com/jobs/cyber-security-jobs?countryRedirected=1&amp;position=1&amp;pageNum=0</p><br />
<p>Trends that affect companies create need for constant cyber security<br />
services. Increasing number of home/remote offices require secure<br />
corporate networks and security of remote devices. One example is from<br />
this year, when sloppy remote desktop set-up paralyzed systems of 17<br />
companies.</p><br />
<p>https://www.aripaev.ee/uudised/2022/04/20/ria-lohakas-kaugtoolaua-seadistus-halvas-martsis-vahemalt-17-juhul-ettevotete-it-susteemid</p><br />
<p>Also, no service can exists without robust infrastructure - servers,<br />
databases, applications. As all previously mentioned devices and<br />
services are at constant scanning and surveillance. So, the breach<br />
detection and immediate action demands 24/7 services. Even if lot of<br />
things could be automated, there is a need for human specialists (at<br />
least, at the moment). Third growing field is also a forensic<br />
investigation, as every attack must be investigated in order to be ready<br />
to repel next attacks. So data recovery and evidence collection is<br />
another important field of work that need skilled and professional<br />
workers.</p><br />
<p>Even, if the specifics of the entity, be it CSIRT, CERT or SOC, are<br />
different, the fundamentals of the work are the same. Professional<br />
knowledge of the networks, operational systems, hardware, scripting, and<br />
several other wider IT related knowledge is needed. As there is no<br />
single way to reach to it, every single person can find one’s strongest<br />
sides and develop them with knowledge of weaker side, in order to know,<br />
when to as for help.</p><br />
<br />
</body><br />
</html></div>Mavaldhttps://wiki.itcollege.ee/index.php?title=Hiring_a_Cyber_Security_Incident_Analyst&diff=142182Hiring a Cyber Security Incident Analyst2022-05-01T14:42:42Z<p>Mavald: /* Possible career path */</p>
<hr />
<div>==A Cyber Security Incident Analyst==<br />
<br />
[[File:image1.png|600px|thumb|Job advertisement <ref>"Job Advertisement". Available at https://www.projectpeople.com/jobs/</ref>]]<br />
===Cyber security incident analyst in SOC/CSIRT/CERT===<br />
This article delves into the job title of Cyber Security Incident<br />
Analyst and provides an overview of the acronyms SOC/CSIRT/CERT. A brief<br />
history of the job is discussed here, as well as a possible career path,<br />
education, experience, and other characteristics required for work in<br />
computer security-related organizations. The article also provides a<br />
brief history of SOC/CSIRT/CERT, as well as a comparison of their<br />
differences and similarities.<br />
===Cyber Security Incident Analyst Skill Set===<br />
What skill set is expected from the Cyber Security Incident Analyst? Below written lines are taken from the same job advertisement depicted<br />
on the left side of this article:<br />
As a Security Incident Analyst your responsibilities will include:<br />
<ul><br />
<li>Continuous monitoring of security tooling</li><br />
<li>Performing regular and ad-hoc vulnerability assessments</li><br />
<li>Carrying out ‘spot checks’</li><br />
<li>Reporting vulnerabilities to the PVG via the alerts system</li><br />
<li>Maintaining and documenting logging systems</li><br />
<li>Developing centralized logging, reporting and intelligence<br />
platforms</li><br />
<li>‘Light touch’ penetration testing with open source tooling<br />
(Metasploit)</li><br />
</ul><br />
Knowledge &amp; Experience required:<br />
<ul><br />
<li>SOC, CSIRT or CERT operational environment experience</li><br />
<li>Windows / Linux experience</li><br />
<li>TCP /IP networking protocol knowledge</li><br />
<li>Experience reviewing and analyzing Security Events from various<br />
monitoring and logging sources</li><br />
<li>Experience in website and web application security assessment or<br />
penetration testing</li><br />
<li>Experience of using Metasploit</li><br />
<li>Scripting knowledge using BASH, Python, Perl, Ruby</li><br />
<li>Skills in Host and Network Forensics</li><br />
</ul><br />
As one can see the description of the duties is wide and also the<br />
knowledge and experience that is required is noteworthy. So, where to<br />
start to find out the way to get this kind of knowledge and<br />
expertize.<br />
===Possible career path===<br />
Next part of the paper is aiming to depict a possible ways, how to<br />
develop oneself, and move along the career pathway in cybersecurity<br />
field. Topics of development, education, experience and certification<br />
are covered.<br />
[[File:analystimage2.png|1000px|thumb|Career path <ref>"Possible Career Path". Available at https://www.cyberseek.org/pathway.html</ref>]]<br />
<br />
===Junior/Senior===<br />
Start with an entry-level job in IT. Hands-on experience is often the<br />
most effective way to prepare for certification exams. Start<br />
accumulating work experience with an entry-level role as a cybersecurity<br />
analyst. Many cybersecurity professionals start off in more general IT<br />
roles. The skills, practices, and technologies you’ll use as a<br />
cybersecurity professional will continue to evolve along with computer<br />
and network technology. The desire to learn, ability to problem solve,<br />
and attention to detail will serve you well in this field. Other, more<br />
technical skills and technologies to learn include:<ref name="certification">Popular Cyber Security Certificates [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications [Accessed 25 April 2022].</ref><br />
<br />
====SIEM tools (security information and event management)====<br />
Security Information and Event Management (SIEM) is a set of tools<br />
and services offering a holistic view of an organization’s information<br />
security. SIEM works by combining two technologies:<br />
<li>Security information management (SIM), which collects data from log<br />
files for analysis and reports on security threats and events, and</li><br />
<li>security event management (SEM), which conducts real-time system<br />
monitoring, notifies network admins about important issues and<br />
establishes correlations between security events. There are a number of<br />
security information and event management solutions on the market.<br />
ArcSight ESM, IBM QRadar and Splunk are among the most popular. <ref name="SIEM">Application security, SIEM [Online]. Available: https://www.imperva.com/learn/application-security/siem/. [Accessed 27 4 2022].</ref></li><br />
<br />
====Firewalls, Intrusion Detection Systems (IDS), and Intrusion Prevention Systems(IPS)====<br />
Firewalls can be two types, hardware and software firewalls. Software<br />
firewall is a firewall that is installed on a computer or server, and<br />
tasked with network security. It works with a wide variety of other<br />
technology security solutions to provide more robust and cohesive<br />
security for enterprises of all sizes. When a software firewall is<br />
installed on a server, it opens up like an umbrella of protection over<br />
all other computers connected to the network. It is able to monitor both<br />
incoming and outgoing traffic for potential risk or suspicious user<br />
behavior, and also makes setting security policies much easier, faster<br />
and more flexible. Hardware firewall is positioned between the network<br />
and devices, allowing traffic to funnel through the firewall for a close<br />
inspection and analysis. A hardware firewall, a term often<br />
interchangeable with network or next-generation firewall, protects the<br />
network gateways for an enterprise. Hardware firewall is physical<br />
hardware, installed between network elements and connected devices, and<br />
is tasked with filtering traffic for cyber threat to the network or<br />
devices. Filtering out unauthorized or suspicious users based on traffic<br />
analysis is one of the biggest benefits of hardware firewall. <ref name="sangfor">Sangfor, "What is Software Firewall? Difference between Hardware Firewall and Software Firewall, [Online]. Available: https://www.sangfor.com/blog/cybersecurity/what-is-software-firewall-difference-between-hardware-firewall-and-software-firewall [Accessed 26 4 2022].</ref><br />
<br />
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems<br />
(IPS) are both parts of the network infrastructure. IDS/IPS compare<br />
network packets to a cyberthreat database containing known signatures of<br />
cyberattacks — and flag any matching packets. IDS doesn’t alter the<br />
network packets in any way, whereas IPS prevents the packet from<br />
delivery based on the contents of the packet, much like how a firewall<br />
prevents traffic by IP address. <ref name="Varonis">Varonis, "What is Software Firewall? IDS vs. IPS: What is the Difference?, [Online]. Available: https://www.varonis.com/blog/ids-vs-ips [Accessed 26 4 2022].</ref><br />
<br />
====Digital forensics====<br />
Digital forensics is a branch of forensic science that focuses on<br />
identifying, acquiring, processing, analyzing, and reporting on data<br />
stored electronically. Electronic evidence is a component of almost all<br />
criminal activities and digital forensics support is crucial for law<br />
enforcement investigations. Electronic evidence can be collected from a<br />
wide array of sources, such as computers, smartphones, remote storage,<br />
unmanned aerial systems, shipborne equipment, and more.<ref name="interpol">Interpol, "Digital forensics". Available: https://www.interpol.int/How-we-work/Innovation/Digital-forensics. [Accessed 28 4 2022].</ref> <br />
Investigative process of digital forensics can be divided into several stages. There are four major stages: preservation, collection,<br />
examination, and analysis. All these four stages need a deep understanding of computers, technology across a broad spectrum, and cybersecurity principles and<br />
practices, a working knowledge of computers, networks, and coding, in-depth investigative abilities, critical-thinking skills and analytical talent the ability to effectively communicate and work with a<br />
wide range of people. <ref name="ecpi">"Digital forensics". Available: https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me. [Accessed 26 4 2022].</ref><br />
<br />
====Mobile device management====<br />
Mobile device management (MDM) is software that allows IT<br />
administrators to control, secure and enforce policies on smartphones,<br />
tablets and other endpoints. Mobile device management software emerged<br />
in the early 2000s as a way to control and secure the personal digital<br />
assistants and smartphones that business workers began to use. The<br />
consumer smartphone boom that started with the launch of the Apple<br />
iPhone in 2007 led to the bring your own device (BYOD) trend, which<br />
fueled further interest in MDM.<ref name="techtarget">Techtarget, "Mobile Device Management". Available: https://www.techtarget.com/searchmobilecomputing/definition/mobile-device-management [Accessed 27 4 2022].</ref><br />
<br />
====Data management====<br />
Sometimes the data management is neglected, but this part has a<br />
crucial role when learning for good cyber security practices. Majority<br />
of cyber security programs include a special courses on data management.<br />
Data management is a method of organizing and maintaining data processes<br />
that are required in almost every business operations. The benefits of<br />
data management can be found accounting, statistics, logistics planning<br />
and other disciplines including corporate computing.<ref name="GlobalUni">Global Universities, "MSc Data Management and Cyber Security". Available: https://globaluniversities.in/msc-data-management-cyber-security. [Accessed 26 Apr 2022].</ref><br />
Data governance (and management) play a fundamental role in<br />
protecting an organization’s data. Ensuring that the right people have<br />
the right access and that appropriate security controls are in place to<br />
protect each system or service, based on the criticality or sensitivity<br />
of the data sets these contain. <ref name="CyberMagazine">Cyber Security Magazine, "The Role of Data Governance in Cybersecurity". Available: https://cybersecurity-magazine.com/the-role-of-data-governance-in-cybersecurity/?utm_source=rss&amp;utm_medium=rss&amp;utm_campaign=the-role-of-data-governance-in-cybersecurity. [Accessed 26 Apr 2022].</ref><br />
<br />
====Application security development====<br />
Application security describes security measures at the application<br />
level that aim to prevent data or code within the app from being stolen<br />
or hijacked. It encompasses the security considerations that happen<br />
during application development and design, but it also involves systems<br />
and approaches to protect apps after they get deployed. Application<br />
security may include hardware, software, and procedures that identify or<br />
minimize security vulnerabilities.<br />
https://www.vmware.com/topics/glossary/content/application-security.html<br />
Application security development is important to ensure that your<br />
application is free from coding errors and bugs. And controls the risk<br />
and helps safeguard against security vulnerabilities. Application<br />
security development is the process of making applications more secure<br />
by finding and fixing security vulnerabilities. This is often done by<br />
enforcing software security best practices and using application<br />
security testing tools.<br />
<p>https://www.perforce.com/blog/kw/application-security-development-best-practices</p><br />
<br />
====Audit and compliance knowledge====<br />
A cyber security audit is designed to be a comprehensive review and<br />
analysis of your business’s IT infrastructure. It identifies threats and<br />
vulnerabilities, exposing weaknesses and high-risk practices.<br />
Regulations such as the EU GDPR (General Data Protection Regulation) can<br />
impose hefty penalties in the event of a breach that results in<br />
exploited data. A cyber security audit will help mitigate the<br />
consequences of a breach and demonstrate that your organization has<br />
taken the necessary steps to protect client and company data.</p><br />
<p>https://cyforsecure.co.uk/services/cyber-assessment/cyber-security-audit/</p><br />
<p>Cybersecurity compliance is the organizational risk management method<br />
aligned with pre-defined security measures &amp; controls on how data<br />
confidentiality is ensured by its administrational procedures.</p><br />
<p>https://nordlayer.com/blog/cybersecurity-compliance-everything-you-need-to-know/</p><br />
<p>All needed skills are developed through courses and<br />
certification.</p></li><br />
</ul><br />
===Entry-Level Incident Response Positions===<br />
<p>It is not always possible to advance to the position of incident<br />
responder in a straight line. Many professionals advance from entry- to<br />
mid-level positions before becoming a real incident responder or a<br />
member of a computer emergency response team (CERT).<br /><br />
These are some examples:</p><br />
<ul><br />
<li><h5 id="network-administrator">Network administrator</h5><br />
<p>This position’s experience will help potential incident responders<br />
develop networking skills. Attention to detail, as well as the ability<br />
to sift through system configurations, site layouts, and general network<br />
and communication setups, are essential in this field.</p></li><br />
<li><h5 id="system-administrator">System administrator</h5><br />
<p>Another crucial beginning point for an incident responder is to learn<br />
how to manage resources inside your organization as well as user<br />
behavior. Understanding the potential damage that users, inadequate<br />
security setups, and ineffective IT policies and procedures can cause on<br />
your network can provide prospective candidates with insight into the<br />
human component of an incident.</p></li><br />
<li><h5 id="security-administrator">Security administrator</h5><br />
<p>In such a position, basic hacking skills, penetration testing, and<br />
intrusion detection are all learned, which are crucial incident<br />
responder skills when trying to replicate a breach or attack.<br />
Understanding the paths a cybercriminal will take when attempting to<br />
damage or obtain access to a system can greatly simplify the work of<br />
reverse engineering the incident.</p></li><br />
</ul><br />
<p>https://resources.infosecinstitute.com/topic/incident-responder-career-roadmap-entry-level-executive/</p><br />
<h3 id="mid-level-incident-response-positions">Mid-Level Incident<br />
Response Positions</h3><br />
<ul><br />
<li><h5<br />
id="computer-security-incident-response-team-csirt-engineer">Computer<br />
security incident response team (CSIRT) engineer</h5></li><br />
<li><h5 id="cyber-incident-responder">Cyber incident responder</h5></li><br />
<li><h5 id="incident-response-engineer">Incident response<br />
engineer</h5></li><br />
</ul><br />
<p>While each of these positions is different, they generally require<br />
very similar skills and characteristics in a candidate. At this level,<br />
personal characteristics such as problem solving, time management, and<br />
even presentation skills become more crucial as one’s career evolves<br />
into a management-facing role.</p><br />
<p>Technical skills include the ability to identify and minimize threats<br />
while maintaining communication with management and the rest of your<br />
team. Data analysis and evidence gathering become increasingly crucial,<br />
and the circumstances in which your services are deployed get more<br />
serious.</p><br />
<p>Problem-solving skills are crucial at this level of incident<br />
response, and as the stakes rise, so does the pressure in each<br />
situation. At this level, programming abilities are essential since<br />
incident responders may be needed to reverse engineer malicious code or<br />
even create patches for vulnerable network applications or services.</p><br />
<p>https://www.coursera.org/articles/popular-cybersecurity-certifications</p><br />
<h3 id="senior-level-incident-response-positions">Senior-Level Incident<br />
Response Positions</h3><br />
<ul><br />
<li><h5 id="intrusion-detection-specialist">Intrusion detection<br />
specialist:</h5></li><br />
</ul><br />
<p>A CISSP certification might help a potential candidate in preparing<br />
for the profession. The role of an intrusion detection specialist is to<br />
find and stop any unwanted communications.</p><br />
<ul><br />
<li><h5 id="incident-manager">Incident manager:</h5></li><br />
</ul><br />
<p>Expected to plan, oversee, manage, and supervise all incident<br />
response team actions. Is in charge of reporting all current events to<br />
senior management and stakeholders, as well as acting as the technical<br />
lead on active incidents for incident responders. Prepares threat and<br />
impact assessments and reports them known to management.</p><br />
<p>https://www.coursera.org/articles/popular-cybersecurity-certifications</p><br />
<br />
==Certificates== <br />
There is a vast number of different certificates and the road map to<br />
being a certified professional could be very different<ref name="Coursera">Coursera, "10 Popular Cybersecurity Certifications [2022 Updated]," [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications. [Accessed 30 Apr 2022].</ref><br />
<ref name="NICCS">NICCS, "Cybersecurity Certifications," [Online]. Available: hhttps://niccs.cisa.gov/about-niccs/cybersecurity-certifications. [Accessed 30 Apr 2022].</ref> . One possible<br />
approach is to start with basic certificates from the different branches<br />
of service and move to more specific and demanding focused<br />
certification. Also, some jobs require certain clearances, either from<br />
industry, or from the government. One small selection of different<br />
possible certificates is brought out in following paragraphs.<br />
<br />
Security+ is a CompTIA certification that is considered a basic cert<br />
among cybersecurity professionals. It covers the topics of risk<br />
management and threat assessment.<br />
Network+ is also offered by CompTIA this certification (like the name<br />
implies) focuses on networking infrastructure and operations. It is<br />
considered a foundational certification.<br />
The Certified Information Systems Security Professional (CISSP) is a<br />
more advanced certification designed for cybersecurity professionals<br />
with at least five years of work experience. The certification covers<br />
topics such as architecture, engineering, and management.</p><br />
The Certified Ethical Hacker (CEH) certification is also considered a<br />
more advanced cert because it generally requires that applicants have<br />
multiple years of work experience. The goal of an ethical hacker<br />
certification is to be able to understand how cyber attacks unfold in<br />
order to improve threat assessment and mitigation skills.<ref name="cyberguide">Cybersecurity Guide, "How to become a cybersecurity specialist", [Online]. Available: https://cybersecurityguide.org/careers/security-specialist/. [Accessed 27 April 2022].</ref><br />
This is definitely not all, when one looks for more information, following link could be searched, to get more in depth knowledge about<br />
different possibilities. Hereby, with the help of this matrix a possible taxonomy of different 436 listed certificates in branches are<br />
presented.<ref name="Pauljeremy">"Cybersecurity Roadmap," [Online]. Available: https://pauljerimy.com/2020/10/12/scr-oct-2020-update/. [Accessed 30 Apr 2022].</ref><br />
<br />
[[File:analystimage5.png|1000px|thumb|Certificate matrix <ref>"Certification roadmap". Available at https://pauljerimy.com/security-certification-roadmap</ref>]]<br />
<br />
=== Communication and Network Security===<br />
Communication and network security covers the ability to secure<br />
communication channels and networks. Topics include secure and converges<br />
protocols, wireless networks, cellular networks, hardware operations<br />
(warranty and redundant power), and third-party connectivity. IP<br />
networking are also included in this domain.<br />
===Identity and Access Management===<br />
The identity and access management domain covers the attacks that<br />
target the human gateway to gain access to data. Other topics include<br />
ways to identify users with rights to access the information and<br />
servers. Identity and access management covers the topics of<br />
applications, Single sign-on authentication, privilege escalation,<br />
Kerberos, rule-based or risk-based access control, proofing and<br />
establishment of identity.<br />
===Security Architecture and Engineering===<br />
The security architecture and engineering domain covers important<br />
topics concerning security engineering plans, designs and principles,<br />
Topics include assessing and mitigating information system<br />
vulnerabilities, fundamental concepts of security models and security<br />
architectures in critical areas like access control. Cloud systems,<br />
cryptography, system infiltrations (ransomware, fault-injection and<br />
more) and virtualized systems are also covered in this domain.<br />
===Asset Security===<br />
The Asset Security domain deals with the issues related to the<br />
collection, storage, maintenance, retention and destruction of data. It<br />
also covers knowledge of different roles regarding data handling (owner,<br />
controller and custodian) as well as data protection methods and data<br />
states. Other topics include resource provision, asset classification<br />
and data lifecycle management.<br />
===Security and Risk Management===<br />
The security and risk management domain covers general on skills<br />
related to the implementation of user awareness programs as well as<br />
security procedures. Emphasis is also placed on risk management<br />
concerning the acquisition of new services, hardware and software<br />
(supply chain). Other skills include social engineering defense<br />
mechanisms.<br />
===Security Assessment and Testing===<br />
The security assessment and testing domain deals with all the<br />
techniques and tools used to find system vulnerabilities, weaknesses and<br />
potential areas of concern not addressed by security procedures and<br />
policies. Attack simulations, vulnerability assessment, compliance<br />
checks, and ethical disclosure also fall under this domain.<br />
===Software Security===<br />
The software development security domain deals with implementing<br />
software-based security protocols within environment for which the IT<br />
professional is responsible. Risk analysis, vulnerability identification<br />
and auditing of source codes are all covered in this subset. Additional<br />
topics include software-designed security, maturity models, development<br />
methodologies, open-source and third-party development security.<br />
===Security operations===<br />
The security operations domain covers topics ranging from<br />
investigations and digital forensic to detection and intrusion<br />
prevention tools, sandboxing and firewalls. Topics include user and<br />
entity behavior analytics, threat intelligence (threat hunting and<br />
threat feeds) log management, artifacts (mobile, computer and network),<br />
machine learning and AI-based tools, penetration testing, and<br />
exploitation development. These for sub-domains are lister here.</p><br />
<li>Forensics</li><br />
<li>Incident Handling</li><br />
<li>Penetration Testing</li><br />
<li>Exploitation</li><br />
<br />
==Education==<br />
<p>The entry level monitoring specialist is hired by Estonian<br />
Information System Authority even if there is no formal IT education,<br />
but readiness to learn and moderate knowledge of different operation<br />
systems is enough to start the career.</p><br />
<p>https://www.cv.ee/en/vacancy/792782/riigi-infosusteemi-amet/seirespetsialist-tule-eesti-kuberruumi-valvuriks</p><br />
<p>Nevertheless, like most other high qualification careers jobs falling<br />
under the cybersecurity specialist category require some form of formal<br />
education. However, since cybersecurity specialist jobs can fall across<br />
a wide spectrum of job descriptions and responsibilities, it is possible<br />
to obtain a specialist job after completing many levels of different<br />
computer related education.</p><br />
<p>If one is looking for a cybersecurity related education, for example<br />
in EU, 137 courses/programs could be found that relate to keyword IT or<br />
cybersecurity.</p><br />
<p>https://www.enisa.europa.eu/topics/cybersecurity-education/education-map/education-courses</p><br />
<p>Also, there is a great amount of discussion, if cuber security<br />
professional should have a degree or would be certification just enough.<br />
One interesting table is produces by Franklin University that compares<br />
benefits and/or drawbacks of each type of credential.</p><br />
<figure><br />
<img src="images/image11.png" alt="Comparison MSc vs certificate" /><br />
<figcaption aria-hidden="true">Comparison MSc vs<br />
certificate</figcaption><br />
</figure><br />
<p>Certifications are generally good for people with little practical<br />
experience because they are known quantities in the industry and can<br />
help you get your foot in the door. They set a minimum knowledge bar.<br />
But some certifications are viewed more favorably than others.<br />
Certifications with renewal requirements are viewed better by hiring<br />
managers, but they also more costly in the long run because of the need<br />
for continuing education. Certifications are also good for showing<br />
in-depth expertise in a specialization within cybersecurity. Depending<br />
on your career goals, it may be advantageous to have a master’s<br />
degree—which shows your breadth of knowledge, critical thinking and<br />
leadership skills—and a certificate—which shows specific skill<br />
competency.</p><br />
<p>https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</p><br />
<p>As IT (Cyber) Security is still a relatively young discipline,<br />
universities and colleges are still figuring out which is the best<br />
approach for their degrees. Study programmes and curricula in Cyber<br />
Security are different. In general, here are the duration of Cyber<br />
Security degrees:</p><br />
<ul><br />
<li><p>Bachelor’s degrees in Cyber Security take 3 or 4 years in most<br />
countries.</p></li><br />
<li><p>Master’s courses in Cyber Security take between 1-2 years to<br />
complete.</p></li><br />
<li><p>PhD programmes in Cyber Security last 3-5 years. Some only take 1<br />
or 2 years, but they are less common.</p><br />
<p>https://www.mastersportal.com/articles/2722/why-you-should-study-a-cyber-security-degree-in-2022.html</p></li><br />
</ul><br />
<p>Generalization could me made that on bachelor level the general<br />
knowledge about the cyber issues are obtained. On master level the<br />
specialization courses are taken and the person can choose more specific<br />
topics to study. It is on master level where strengths of the cyber<br />
specialist can be developed further and up-do date knowledge obtained in<br />
specifics. PhD is serious science and involves teaching, lot of<br />
scientific work and writing for publications.</p><br />
==Salary==<br />
<p>Even if the salary can be very different, compared to the skills and<br />
experience, an generalization can be made. Cyber Security professionals<br />
in CSIRT, and in other entities earn quite well, from the start. First,<br />
some comparison from the United States. The average CSIRT analyst salary<br />
in the USA is $97,500 per year or $50 per hour. Entry level positions<br />
start at $48,875 per year while most experienced workers make up to<br />
$135,373 per year.</p><br />
<p>https://www.talent.com/salary?job=csirt+analyst</p><br />
<p>There are multiple positions you can occupy in this field. They have<br />
in common great salaries and high demand for technical skills, attention<br />
to details, problem-solving mentality, and the ability to analyze risks.<br />
Here are the average annual salaries in the United States, according to<br />
Payscale:</p><br />
<p>https://www.payscale.com/</p><br />
<ul><br />
<li><p>Cryptographer – 100,000 USD</p></li><br />
<li><p>Information Security Officer – 91,000 USD</p></li><br />
<li><p>Security Assessor – 90,000 USD</p></li><br />
<li><p>Security Engineer – 88,000 USD</p></li><br />
<li><p>Penetration Tester – 81,000 USD</p></li><br />
<li><p>Forensics Expert – 71,000 USD</p></li><br />
<li><p>Security Administrator – 65,000 USD</p><br />
<p>https://www.mastersportal.com/articles/2722/why-you-should-study-a-cyber-security-degree-in-2022.html</p><br />
<p>When looking into salaries in Estonia, one can find that there is a<br />
discussion that private sector is taking a toll from the public sector,<br />
and that the salaries in important agencies, as Information System<br />
Authority loose their employees to the better paid positions in private<br />
sector.</p><br />
<p>https://digi.geenius.ee/rubriik/uudis/kui-palju-riigi-jaoks-olulised-it-tootajad-tegelikult-palka-saavad/<br />
https://tehnika.postimees.ee/6887428/riigi-it-tootajate-palgamaarad-kasvasid</p><br />
<p>But there is also a different view that average private sector worker<br />
could be hired as a top specialist in public sector and then the payment<br />
is higher. Nevertheless, it seems that the average payment in cyber<br />
security sector is any way higher that in other parts of the<br />
e-services.</p><br />
<p>https://digi.geenius.ee/rubriik/uudis/5000-eurostest-palkadest-it-tootajad-saavadki-palju-palka/</p></li><br />
</ul><br />
==SOC==<br />
<p>A SOC is a facility where an organization’s network, applications,<br />
and endpoints are monitored and defended. The term was adapted from<br />
network operations centers (NOCs), where large telecommunication or<br />
corporate networks are monitored. When network security became more of a<br />
concern, security teams were formed within the NOCs, and eventually spun<br />
off into larger organizations of their own as the responsibilities of<br />
security teams grew increasingly complex and specialized. The security<br />
staff working in a security operations center are often called the SOC<br />
team.</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<p>Functions of the SOC team include, but are not limited to:</p><br />
<ol type="1"><br />
<li>Taking inventory of resources, to get a better understanding of the<br />
structure they are protecting.</li><br />
<li>Maintanence of the system, by constantly making updates and adding<br />
safeguards.</li><br />
<li>Monitoring the network for abnormalities with special tools.</li><br />
<li>Threat analysis of new attacks and vulnerabilities.</li><br />
<li>Responding to attacks, by acting as “first responders”. The SOC team<br />
will shut down and/or isolate endpoints, deleting files and lowering the<br />
impact as fast as possible.</li><br />
<li>Recovery of system stability and lost data. This may be done using<br />
backups, restarting endpoints or reconfiguring systems.</li><br />
<li>Logging all actions on the system, to be later used for analysis or<br />
forensics after an attack.</li><br />
<li>Investigating the root cause of an attack.</li><br />
<li>Auditing their own actions, to be in line with regulations of the<br />
organization, industry or governing body.</li><br />
</ol><br />
<p>https://www.trellix.com/en-us/security-awareness/operations/what-is-soc.html</p><br />
==CSIRT==<br />
<p>A CSIRT is a group that responds to security incidents when they<br />
occur. Key responsibilities of a CSIRT include:</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<ul><br />
===Creating and maintaining an incident response plan (IRP)===<br />
An incident response plan (IRP) is a set of written instructions for<br />
detecting, responding to and limiting the effects of an information<br />
security event. Incident response plans provide instructions for<br />
responding to many potential scenarios, including data breaches, denial<br />
of service/distributed denial of service attacks, firewall breaches,<br />
virus or malware outbreaks or insider threats. Without an incident<br />
response plan in place, organizations may either not detect the attack<br />
in the first place, or not follow proper protocol to contain the threat<br />
and recover from it when a breach is detected.<br />
<p>https://www.stratacore.com/incidentresponseplan</p></li><br />
===Investigating and analyzing incidents===<br />
CSIRTs are also involved in improvement activities. After major<br />
computer security incidents occur, or when incidents are not handled in<br />
a timely or effective manner, a CSIRT will generally perform a<br />
postmortem of the incident and its response. This postmortem will<br />
identify the strengths and weakness of the response effort. Such reviews<br />
can identify weaknesses and holes in systems, infrastructure defenses,<br />
or policies that allowed the incident to take place. It can also<br />
identify problems with communication channels, interfaces, and<br />
procedures that inhibited the efficient resolution of the reported<br />
problem.<br />
<p>https://www.cisa.gov/uscert/bsi/articles/best-practices/incident-management/defining-computer-security-incident-response-teams</p><br />
<br />
===Managing internal communications and updates during or immediately after incidents occur===<br />
===Communicating with employees, shareholders, customers, and the press about incidents as needed===<br />
<p>There are various services within the CSIRT Services Framework that<br />
address communications, as they relate to security operations and<br />
incident response services. Some of these include Information Security<br />
Incident Coordination, Crisis Management Support, Vulnerability<br />
Disclosure, Situational Awareness Communication, and Awareness Building,<br />
to name a few. Sharing information and communicating with the general<br />
public and/or your constituency is appropriate in many different<br />
scenarios. These can range from proactive communications to reactive<br />
communications. Each scenario may be unique, and careful consideration<br />
should be given to when to release information to the public and what<br />
information should be released.</p><br />
<br />
<p>https://resources.sei.cmu.edu/asset_files/Handbook/2021_002_001_651819.pdf</p><br />
<br />
===Remediating incidents===<br />
<p>Threat remediation is a strong and capable tool for fighting the<br />
cyber security compromises. As the word ‘remedy’ suggests, remediation<br />
process involves the treatment of a security breach. With the<br />
remediation practices, your cyber security team is able to eliminate<br />
suspicious activities and malicious attacks in the form of malware,<br />
ransomware, phishing and such. Even if you ‘kill’ the suspicious<br />
activity, the attackers can remain in your systems. If you want to<br />
contaminate and end the problem for good, your remediation processes<br />
must involve the detection of the cause.</p><br />
<p>https://www.logsign.com/blog/what-is-remediation-in-cyber-security/</p><br />
=== Recommending technology, policy, governance, and training changes after security<br />
incidents===<br />
<p>After all these actions, the SCIRT must contribute to the development<br />
of better policies, practices and has to recommend improvements. They<br />
are not working in the vacuum and their work has to create new and<br />
better standards for cyber security.</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p></li><br />
</ul><br />
==CERT==<br />
<p>The term “computer emergency response team” was coined in 1988. In<br />
response to the Morris worm attack that impacted thousands of servers on<br />
the Internet, DARPA funded the formation of the Computer Emergency<br />
Response Team Coordination Center (CERT-CC) at Carnegie Mellon<br />
University. The goal of CERT-CC was to help protect the internet by<br />
collecting and disseminating information on critical security<br />
vulnerabilities. Several other countries formed similar centers using<br />
the same acronym (despite threats of legal action by Carnegie Mellon for<br />
trademark infringement). Now the term CERT refers to any emergency<br />
response team that deals with cyber threats. Many people use CERT-CC<br />
interchangeably with CSIRT, though the charter of a CERT is information<br />
sharing in order to help other response teams respond to threats against<br />
their own infrastructure.</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<p>In general, the designation of CERT is helpful in applying real-world<br />
solutions to various cybersecurity problems. They may be government<br />
contractors or employees of a major corporation. For example, the U.S.<br />
Computer Emergency Readiness Team (US-CERT) operates under the U.S.<br />
Department of Homeland Security.</p><br />
<p>https://www.techopedia.com/definition/31003/computer-emergency-response-team-cert</p><br />
<p>In Estonia CERT is designated as CERT-EE. It was established in 2006,<br />
as an organization responsible for the management of security incidents<br />
in .ee computer networks. It is also a national contact point for<br />
international co-operation in the field of IT security.</p><br />
<p>https://www.ria.ee/en/cyber-security/cert-ee.html</p><br />
===Difference between SOC/CSIRT/CERT===<br />
<p>How CSIRTs differ from CERTs and SOCs There are overlapping<br />
responsibilities between a community emergency response team (CERT),<br />
computer security incident response team (CSIRT), and security<br />
operations center (SOC). To add to this confusion, frequently, the terms<br />
CERT and CSIRT are used interchangeably, despite the important<br />
differences.</p><br />
<figure><br />
<img src="images/image3.png" alt="Overlapping in images/image3.png" /><br />
<figcaption aria-hidden="true">Overlapping in<br />
images/image3.png</figcaption><br />
</figure><br />
==Understand the primary roles and characteristics of a CERT, CSIRT, and SOC.==<br />
<p>So, using strict definitions, a CERT collects and disseminates<br />
security information, typically for the benefit of a country or an<br />
industry. A CSIRT is a cross-functional team that responds to incidents<br />
on behalf of a country or an organization. A SOC is where a country or<br />
organization monitors and defends its network, servers, applications,<br />
and endpoints.</p><br />
<figure><br />
<img src="images/image4.png" alt="table of explanation images/image4" /><br />
<figcaption aria-hidden="true">table of explanation<br />
images/image4</figcaption><br />
</figure><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
==Future==<br />
<p>And the Cyber security problem is only getting bigger. According to a<br />
report published by Accenture, the number of cyber security breaches<br />
increased by 11 percent from 2017 to 2018. The cost of such breaches is<br />
astronomical–about $600 billion worldwide, according to the Economic<br />
Impact of Cybercrime report.</p><br />
<p>https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me</p><br />
<p>Job projections for cybersecurity are staggering. The Bureau of Labor<br />
Statistics in US predicts that careers in the cybersecurity field will<br />
grow by 32% by 2028. That makes cybersecurity one of the top 10<br />
fastest-growing jobs in the country. In the United States alone, jobs<br />
for Information Security Analysts are expected to grow by 15% by<br />
2024.</p><br />
<p>https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</p><br />
<p>Most likely this trend is also similar in other countries.</p><br />
<p>When checking Estonian job portals, there is a constant need for<br />
people for cyber security related positions. Also, linkedin search gives<br />
approximately 30 vacancies immediately. There are banks, logistics<br />
companies, e-shops, and software producers.</p><br />
<p>https://ee.linkedin.com/jobs/cyber-security-jobs?countryRedirected=1&amp;position=1&amp;pageNum=0</p><br />
<p>Trends that affect companies create need for constant cyber security<br />
services. Increasing number of home/remote offices require secure<br />
corporate networks and security of remote devices. One example is from<br />
this year, when sloppy remote desktop set-up paralyzed systems of 17<br />
companies.</p><br />
<p>https://www.aripaev.ee/uudised/2022/04/20/ria-lohakas-kaugtoolaua-seadistus-halvas-martsis-vahemalt-17-juhul-ettevotete-it-susteemid</p><br />
<p>Also, no service can exists without robust infrastructure - servers,<br />
databases, applications. As all previously mentioned devices and<br />
services are at constant scanning and surveillance. So, the breach<br />
detection and immediate action demands 24/7 services. Even if lot of<br />
things could be automated, there is a need for human specialists (at<br />
least, at the moment). Third growing field is also a forensic<br />
investigation, as every attack must be investigated in order to be ready<br />
to repel next attacks. So data recovery and evidence collection is<br />
another important field of work that need skilled and professional<br />
workers.</p><br />
<p>Even, if the specifics of the entity, be it CSIRT, CERT or SOC, are<br />
different, the fundamentals of the work are the same. Professional<br />
knowledge of the networks, operational systems, hardware, scripting, and<br />
several other wider IT related knowledge is needed. As there is no<br />
single way to reach to it, every single person can find one’s strongest<br />
sides and develop them with knowledge of weaker side, in order to know,<br />
when to as for help.</p><br />
<br />
</body><br />
</html></div>Mavaldhttps://wiki.itcollege.ee/index.php?title=Hiring_a_Cyber_Security_Incident_Analyst&diff=142181Hiring a Cyber Security Incident Analyst2022-05-01T14:42:20Z<p>Mavald: /* Data management */</p>
<hr />
<div>==A Cyber Security Incident Analyst==<br />
<br />
[[File:image1.png|600px|thumb|Job advertisement <ref>"Job Advertisement". Available at https://www.projectpeople.com/jobs/</ref>]]<br />
===Cyber security incident analyst in SOC/CSIRT/CERT===<br />
This article delves into the job title of Cyber Security Incident<br />
Analyst and provides an overview of the acronyms SOC/CSIRT/CERT. A brief<br />
history of the job is discussed here, as well as a possible career path,<br />
education, experience, and other characteristics required for work in<br />
computer security-related organizations. The article also provides a<br />
brief history of SOC/CSIRT/CERT, as well as a comparison of their<br />
differences and similarities.<br />
===Cyber Security Incident Analyst Skill Set===<br />
What skill set is expected from the Cyber Security Incident Analyst? Below written lines are taken from the same job advertisement depicted<br />
on the left side of this article:<br />
As a Security Incident Analyst your responsibilities will include:<br />
<ul><br />
<li>Continuous monitoring of security tooling</li><br />
<li>Performing regular and ad-hoc vulnerability assessments</li><br />
<li>Carrying out ‘spot checks’</li><br />
<li>Reporting vulnerabilities to the PVG via the alerts system</li><br />
<li>Maintaining and documenting logging systems</li><br />
<li>Developing centralized logging, reporting and intelligence<br />
platforms</li><br />
<li>‘Light touch’ penetration testing with open source tooling<br />
(Metasploit)</li><br />
</ul><br />
Knowledge &amp; Experience required:<br />
<ul><br />
<li>SOC, CSIRT or CERT operational environment experience</li><br />
<li>Windows / Linux experience</li><br />
<li>TCP /IP networking protocol knowledge</li><br />
<li>Experience reviewing and analyzing Security Events from various<br />
monitoring and logging sources</li><br />
<li>Experience in website and web application security assessment or<br />
penetration testing</li><br />
<li>Experience of using Metasploit</li><br />
<li>Scripting knowledge using BASH, Python, Perl, Ruby</li><br />
<li>Skills in Host and Network Forensics</li><br />
</ul><br />
As one can see the description of the duties is wide and also the<br />
knowledge and experience that is required is noteworthy. So, where to<br />
start to find out the way to get this kind of knowledge and<br />
expertize.<br />
===Possible career path===<br />
Next part of the paper is aiming to depict a possible ways, how to<br />
develop oneself, and move along the career pathway in cybersecurity<br />
field. Topics of development, education, experience and certification<br />
are covered.<br />
[[File:analystimage2.png|700px|thumb|Career path <ref>"Possible Career Path". Available at https://www.cyberseek.org/pathway.html</ref>]]<br />
<br />
===Junior/Senior===<br />
Start with an entry-level job in IT. Hands-on experience is often the<br />
most effective way to prepare for certification exams. Start<br />
accumulating work experience with an entry-level role as a cybersecurity<br />
analyst. Many cybersecurity professionals start off in more general IT<br />
roles. The skills, practices, and technologies you’ll use as a<br />
cybersecurity professional will continue to evolve along with computer<br />
and network technology. The desire to learn, ability to problem solve,<br />
and attention to detail will serve you well in this field. Other, more<br />
technical skills and technologies to learn include:<ref name="certification">Popular Cyber Security Certificates [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications [Accessed 25 April 2022].</ref><br />
<br />
====SIEM tools (security information and event management)====<br />
Security Information and Event Management (SIEM) is a set of tools<br />
and services offering a holistic view of an organization’s information<br />
security. SIEM works by combining two technologies:<br />
<li>Security information management (SIM), which collects data from log<br />
files for analysis and reports on security threats and events, and</li><br />
<li>security event management (SEM), which conducts real-time system<br />
monitoring, notifies network admins about important issues and<br />
establishes correlations between security events. There are a number of<br />
security information and event management solutions on the market.<br />
ArcSight ESM, IBM QRadar and Splunk are among the most popular. <ref name="SIEM">Application security, SIEM [Online]. Available: https://www.imperva.com/learn/application-security/siem/. [Accessed 27 4 2022].</ref></li><br />
<br />
====Firewalls, Intrusion Detection Systems (IDS), and Intrusion Prevention Systems(IPS)====<br />
Firewalls can be two types, hardware and software firewalls. Software<br />
firewall is a firewall that is installed on a computer or server, and<br />
tasked with network security. It works with a wide variety of other<br />
technology security solutions to provide more robust and cohesive<br />
security for enterprises of all sizes. When a software firewall is<br />
installed on a server, it opens up like an umbrella of protection over<br />
all other computers connected to the network. It is able to monitor both<br />
incoming and outgoing traffic for potential risk or suspicious user<br />
behavior, and also makes setting security policies much easier, faster<br />
and more flexible. Hardware firewall is positioned between the network<br />
and devices, allowing traffic to funnel through the firewall for a close<br />
inspection and analysis. A hardware firewall, a term often<br />
interchangeable with network or next-generation firewall, protects the<br />
network gateways for an enterprise. Hardware firewall is physical<br />
hardware, installed between network elements and connected devices, and<br />
is tasked with filtering traffic for cyber threat to the network or<br />
devices. Filtering out unauthorized or suspicious users based on traffic<br />
analysis is one of the biggest benefits of hardware firewall. <ref name="sangfor">Sangfor, "What is Software Firewall? Difference between Hardware Firewall and Software Firewall, [Online]. Available: https://www.sangfor.com/blog/cybersecurity/what-is-software-firewall-difference-between-hardware-firewall-and-software-firewall [Accessed 26 4 2022].</ref><br />
<br />
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems<br />
(IPS) are both parts of the network infrastructure. IDS/IPS compare<br />
network packets to a cyberthreat database containing known signatures of<br />
cyberattacks — and flag any matching packets. IDS doesn’t alter the<br />
network packets in any way, whereas IPS prevents the packet from<br />
delivery based on the contents of the packet, much like how a firewall<br />
prevents traffic by IP address. <ref name="Varonis">Varonis, "What is Software Firewall? IDS vs. IPS: What is the Difference?, [Online]. Available: https://www.varonis.com/blog/ids-vs-ips [Accessed 26 4 2022].</ref><br />
<br />
====Digital forensics====<br />
Digital forensics is a branch of forensic science that focuses on<br />
identifying, acquiring, processing, analyzing, and reporting on data<br />
stored electronically. Electronic evidence is a component of almost all<br />
criminal activities and digital forensics support is crucial for law<br />
enforcement investigations. Electronic evidence can be collected from a<br />
wide array of sources, such as computers, smartphones, remote storage,<br />
unmanned aerial systems, shipborne equipment, and more.<ref name="interpol">Interpol, "Digital forensics". Available: https://www.interpol.int/How-we-work/Innovation/Digital-forensics. [Accessed 28 4 2022].</ref> <br />
Investigative process of digital forensics can be divided into several stages. There are four major stages: preservation, collection,<br />
examination, and analysis. All these four stages need a deep understanding of computers, technology across a broad spectrum, and cybersecurity principles and<br />
practices, a working knowledge of computers, networks, and coding, in-depth investigative abilities, critical-thinking skills and analytical talent the ability to effectively communicate and work with a<br />
wide range of people. <ref name="ecpi">"Digital forensics". Available: https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me. [Accessed 26 4 2022].</ref><br />
<br />
====Mobile device management====<br />
Mobile device management (MDM) is software that allows IT<br />
administrators to control, secure and enforce policies on smartphones,<br />
tablets and other endpoints. Mobile device management software emerged<br />
in the early 2000s as a way to control and secure the personal digital<br />
assistants and smartphones that business workers began to use. The<br />
consumer smartphone boom that started with the launch of the Apple<br />
iPhone in 2007 led to the bring your own device (BYOD) trend, which<br />
fueled further interest in MDM.<ref name="techtarget">Techtarget, "Mobile Device Management". Available: https://www.techtarget.com/searchmobilecomputing/definition/mobile-device-management [Accessed 27 4 2022].</ref><br />
<br />
====Data management====<br />
Sometimes the data management is neglected, but this part has a<br />
crucial role when learning for good cyber security practices. Majority<br />
of cyber security programs include a special courses on data management.<br />
Data management is a method of organizing and maintaining data processes<br />
that are required in almost every business operations. The benefits of<br />
data management can be found accounting, statistics, logistics planning<br />
and other disciplines including corporate computing.<ref name="GlobalUni">Global Universities, "MSc Data Management and Cyber Security". Available: https://globaluniversities.in/msc-data-management-cyber-security. [Accessed 26 Apr 2022].</ref><br />
Data governance (and management) play a fundamental role in<br />
protecting an organization’s data. Ensuring that the right people have<br />
the right access and that appropriate security controls are in place to<br />
protect each system or service, based on the criticality or sensitivity<br />
of the data sets these contain. <ref name="CyberMagazine">Cyber Security Magazine, "The Role of Data Governance in Cybersecurity". Available: https://cybersecurity-magazine.com/the-role-of-data-governance-in-cybersecurity/?utm_source=rss&amp;utm_medium=rss&amp;utm_campaign=the-role-of-data-governance-in-cybersecurity. [Accessed 26 Apr 2022].</ref><br />
<br />
====Application security development====<br />
Application security describes security measures at the application<br />
level that aim to prevent data or code within the app from being stolen<br />
or hijacked. It encompasses the security considerations that happen<br />
during application development and design, but it also involves systems<br />
and approaches to protect apps after they get deployed. Application<br />
security may include hardware, software, and procedures that identify or<br />
minimize security vulnerabilities.<br />
https://www.vmware.com/topics/glossary/content/application-security.html<br />
Application security development is important to ensure that your<br />
application is free from coding errors and bugs. And controls the risk<br />
and helps safeguard against security vulnerabilities. Application<br />
security development is the process of making applications more secure<br />
by finding and fixing security vulnerabilities. This is often done by<br />
enforcing software security best practices and using application<br />
security testing tools.<br />
<p>https://www.perforce.com/blog/kw/application-security-development-best-practices</p><br />
<br />
====Audit and compliance knowledge====<br />
A cyber security audit is designed to be a comprehensive review and<br />
analysis of your business’s IT infrastructure. It identifies threats and<br />
vulnerabilities, exposing weaknesses and high-risk practices.<br />
Regulations such as the EU GDPR (General Data Protection Regulation) can<br />
impose hefty penalties in the event of a breach that results in<br />
exploited data. A cyber security audit will help mitigate the<br />
consequences of a breach and demonstrate that your organization has<br />
taken the necessary steps to protect client and company data.</p><br />
<p>https://cyforsecure.co.uk/services/cyber-assessment/cyber-security-audit/</p><br />
<p>Cybersecurity compliance is the organizational risk management method<br />
aligned with pre-defined security measures &amp; controls on how data<br />
confidentiality is ensured by its administrational procedures.</p><br />
<p>https://nordlayer.com/blog/cybersecurity-compliance-everything-you-need-to-know/</p><br />
<p>All needed skills are developed through courses and<br />
certification.</p></li><br />
</ul><br />
===Entry-Level Incident Response Positions===<br />
<p>It is not always possible to advance to the position of incident<br />
responder in a straight line. Many professionals advance from entry- to<br />
mid-level positions before becoming a real incident responder or a<br />
member of a computer emergency response team (CERT).<br /><br />
These are some examples:</p><br />
<ul><br />
<li><h5 id="network-administrator">Network administrator</h5><br />
<p>This position’s experience will help potential incident responders<br />
develop networking skills. Attention to detail, as well as the ability<br />
to sift through system configurations, site layouts, and general network<br />
and communication setups, are essential in this field.</p></li><br />
<li><h5 id="system-administrator">System administrator</h5><br />
<p>Another crucial beginning point for an incident responder is to learn<br />
how to manage resources inside your organization as well as user<br />
behavior. Understanding the potential damage that users, inadequate<br />
security setups, and ineffective IT policies and procedures can cause on<br />
your network can provide prospective candidates with insight into the<br />
human component of an incident.</p></li><br />
<li><h5 id="security-administrator">Security administrator</h5><br />
<p>In such a position, basic hacking skills, penetration testing, and<br />
intrusion detection are all learned, which are crucial incident<br />
responder skills when trying to replicate a breach or attack.<br />
Understanding the paths a cybercriminal will take when attempting to<br />
damage or obtain access to a system can greatly simplify the work of<br />
reverse engineering the incident.</p></li><br />
</ul><br />
<p>https://resources.infosecinstitute.com/topic/incident-responder-career-roadmap-entry-level-executive/</p><br />
<h3 id="mid-level-incident-response-positions">Mid-Level Incident<br />
Response Positions</h3><br />
<ul><br />
<li><h5<br />
id="computer-security-incident-response-team-csirt-engineer">Computer<br />
security incident response team (CSIRT) engineer</h5></li><br />
<li><h5 id="cyber-incident-responder">Cyber incident responder</h5></li><br />
<li><h5 id="incident-response-engineer">Incident response<br />
engineer</h5></li><br />
</ul><br />
<p>While each of these positions is different, they generally require<br />
very similar skills and characteristics in a candidate. At this level,<br />
personal characteristics such as problem solving, time management, and<br />
even presentation skills become more crucial as one’s career evolves<br />
into a management-facing role.</p><br />
<p>Technical skills include the ability to identify and minimize threats<br />
while maintaining communication with management and the rest of your<br />
team. Data analysis and evidence gathering become increasingly crucial,<br />
and the circumstances in which your services are deployed get more<br />
serious.</p><br />
<p>Problem-solving skills are crucial at this level of incident<br />
response, and as the stakes rise, so does the pressure in each<br />
situation. At this level, programming abilities are essential since<br />
incident responders may be needed to reverse engineer malicious code or<br />
even create patches for vulnerable network applications or services.</p><br />
<p>https://www.coursera.org/articles/popular-cybersecurity-certifications</p><br />
<h3 id="senior-level-incident-response-positions">Senior-Level Incident<br />
Response Positions</h3><br />
<ul><br />
<li><h5 id="intrusion-detection-specialist">Intrusion detection<br />
specialist:</h5></li><br />
</ul><br />
<p>A CISSP certification might help a potential candidate in preparing<br />
for the profession. The role of an intrusion detection specialist is to<br />
find and stop any unwanted communications.</p><br />
<ul><br />
<li><h5 id="incident-manager">Incident manager:</h5></li><br />
</ul><br />
<p>Expected to plan, oversee, manage, and supervise all incident<br />
response team actions. Is in charge of reporting all current events to<br />
senior management and stakeholders, as well as acting as the technical<br />
lead on active incidents for incident responders. Prepares threat and<br />
impact assessments and reports them known to management.</p><br />
<p>https://www.coursera.org/articles/popular-cybersecurity-certifications</p><br />
<br />
==Certificates== <br />
There is a vast number of different certificates and the road map to<br />
being a certified professional could be very different<ref name="Coursera">Coursera, "10 Popular Cybersecurity Certifications [2022 Updated]," [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications. [Accessed 30 Apr 2022].</ref><br />
<ref name="NICCS">NICCS, "Cybersecurity Certifications," [Online]. Available: hhttps://niccs.cisa.gov/about-niccs/cybersecurity-certifications. [Accessed 30 Apr 2022].</ref> . One possible<br />
approach is to start with basic certificates from the different branches<br />
of service and move to more specific and demanding focused<br />
certification. Also, some jobs require certain clearances, either from<br />
industry, or from the government. One small selection of different<br />
possible certificates is brought out in following paragraphs.<br />
<br />
Security+ is a CompTIA certification that is considered a basic cert<br />
among cybersecurity professionals. It covers the topics of risk<br />
management and threat assessment.<br />
Network+ is also offered by CompTIA this certification (like the name<br />
implies) focuses on networking infrastructure and operations. It is<br />
considered a foundational certification.<br />
The Certified Information Systems Security Professional (CISSP) is a<br />
more advanced certification designed for cybersecurity professionals<br />
with at least five years of work experience. The certification covers<br />
topics such as architecture, engineering, and management.</p><br />
The Certified Ethical Hacker (CEH) certification is also considered a<br />
more advanced cert because it generally requires that applicants have<br />
multiple years of work experience. The goal of an ethical hacker<br />
certification is to be able to understand how cyber attacks unfold in<br />
order to improve threat assessment and mitigation skills.<ref name="cyberguide">Cybersecurity Guide, "How to become a cybersecurity specialist", [Online]. Available: https://cybersecurityguide.org/careers/security-specialist/. [Accessed 27 April 2022].</ref><br />
This is definitely not all, when one looks for more information, following link could be searched, to get more in depth knowledge about<br />
different possibilities. Hereby, with the help of this matrix a possible taxonomy of different 436 listed certificates in branches are<br />
presented.<ref name="Pauljeremy">"Cybersecurity Roadmap," [Online]. Available: https://pauljerimy.com/2020/10/12/scr-oct-2020-update/. [Accessed 30 Apr 2022].</ref><br />
<br />
[[File:analystimage5.png|1000px|thumb|Certificate matrix <ref>"Certification roadmap". Available at https://pauljerimy.com/security-certification-roadmap</ref>]]<br />
<br />
=== Communication and Network Security===<br />
Communication and network security covers the ability to secure<br />
communication channels and networks. Topics include secure and converges<br />
protocols, wireless networks, cellular networks, hardware operations<br />
(warranty and redundant power), and third-party connectivity. IP<br />
networking are also included in this domain.<br />
===Identity and Access Management===<br />
The identity and access management domain covers the attacks that<br />
target the human gateway to gain access to data. Other topics include<br />
ways to identify users with rights to access the information and<br />
servers. Identity and access management covers the topics of<br />
applications, Single sign-on authentication, privilege escalation,<br />
Kerberos, rule-based or risk-based access control, proofing and<br />
establishment of identity.<br />
===Security Architecture and Engineering===<br />
The security architecture and engineering domain covers important<br />
topics concerning security engineering plans, designs and principles,<br />
Topics include assessing and mitigating information system<br />
vulnerabilities, fundamental concepts of security models and security<br />
architectures in critical areas like access control. Cloud systems,<br />
cryptography, system infiltrations (ransomware, fault-injection and<br />
more) and virtualized systems are also covered in this domain.<br />
===Asset Security===<br />
The Asset Security domain deals with the issues related to the<br />
collection, storage, maintenance, retention and destruction of data. It<br />
also covers knowledge of different roles regarding data handling (owner,<br />
controller and custodian) as well as data protection methods and data<br />
states. Other topics include resource provision, asset classification<br />
and data lifecycle management.<br />
===Security and Risk Management===<br />
The security and risk management domain covers general on skills<br />
related to the implementation of user awareness programs as well as<br />
security procedures. Emphasis is also placed on risk management<br />
concerning the acquisition of new services, hardware and software<br />
(supply chain). Other skills include social engineering defense<br />
mechanisms.<br />
===Security Assessment and Testing===<br />
The security assessment and testing domain deals with all the<br />
techniques and tools used to find system vulnerabilities, weaknesses and<br />
potential areas of concern not addressed by security procedures and<br />
policies. Attack simulations, vulnerability assessment, compliance<br />
checks, and ethical disclosure also fall under this domain.<br />
===Software Security===<br />
The software development security domain deals with implementing<br />
software-based security protocols within environment for which the IT<br />
professional is responsible. Risk analysis, vulnerability identification<br />
and auditing of source codes are all covered in this subset. Additional<br />
topics include software-designed security, maturity models, development<br />
methodologies, open-source and third-party development security.<br />
===Security operations===<br />
The security operations domain covers topics ranging from<br />
investigations and digital forensic to detection and intrusion<br />
prevention tools, sandboxing and firewalls. Topics include user and<br />
entity behavior analytics, threat intelligence (threat hunting and<br />
threat feeds) log management, artifacts (mobile, computer and network),<br />
machine learning and AI-based tools, penetration testing, and<br />
exploitation development. These for sub-domains are lister here.</p><br />
<li>Forensics</li><br />
<li>Incident Handling</li><br />
<li>Penetration Testing</li><br />
<li>Exploitation</li><br />
<br />
==Education==<br />
<p>The entry level monitoring specialist is hired by Estonian<br />
Information System Authority even if there is no formal IT education,<br />
but readiness to learn and moderate knowledge of different operation<br />
systems is enough to start the career.</p><br />
<p>https://www.cv.ee/en/vacancy/792782/riigi-infosusteemi-amet/seirespetsialist-tule-eesti-kuberruumi-valvuriks</p><br />
<p>Nevertheless, like most other high qualification careers jobs falling<br />
under the cybersecurity specialist category require some form of formal<br />
education. However, since cybersecurity specialist jobs can fall across<br />
a wide spectrum of job descriptions and responsibilities, it is possible<br />
to obtain a specialist job after completing many levels of different<br />
computer related education.</p><br />
<p>If one is looking for a cybersecurity related education, for example<br />
in EU, 137 courses/programs could be found that relate to keyword IT or<br />
cybersecurity.</p><br />
<p>https://www.enisa.europa.eu/topics/cybersecurity-education/education-map/education-courses</p><br />
<p>Also, there is a great amount of discussion, if cuber security<br />
professional should have a degree or would be certification just enough.<br />
One interesting table is produces by Franklin University that compares<br />
benefits and/or drawbacks of each type of credential.</p><br />
<figure><br />
<img src="images/image11.png" alt="Comparison MSc vs certificate" /><br />
<figcaption aria-hidden="true">Comparison MSc vs<br />
certificate</figcaption><br />
</figure><br />
<p>Certifications are generally good for people with little practical<br />
experience because they are known quantities in the industry and can<br />
help you get your foot in the door. They set a minimum knowledge bar.<br />
But some certifications are viewed more favorably than others.<br />
Certifications with renewal requirements are viewed better by hiring<br />
managers, but they also more costly in the long run because of the need<br />
for continuing education. Certifications are also good for showing<br />
in-depth expertise in a specialization within cybersecurity. Depending<br />
on your career goals, it may be advantageous to have a master’s<br />
degree—which shows your breadth of knowledge, critical thinking and<br />
leadership skills—and a certificate—which shows specific skill<br />
competency.</p><br />
<p>https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</p><br />
<p>As IT (Cyber) Security is still a relatively young discipline,<br />
universities and colleges are still figuring out which is the best<br />
approach for their degrees. Study programmes and curricula in Cyber<br />
Security are different. In general, here are the duration of Cyber<br />
Security degrees:</p><br />
<ul><br />
<li><p>Bachelor’s degrees in Cyber Security take 3 or 4 years in most<br />
countries.</p></li><br />
<li><p>Master’s courses in Cyber Security take between 1-2 years to<br />
complete.</p></li><br />
<li><p>PhD programmes in Cyber Security last 3-5 years. Some only take 1<br />
or 2 years, but they are less common.</p><br />
<p>https://www.mastersportal.com/articles/2722/why-you-should-study-a-cyber-security-degree-in-2022.html</p></li><br />
</ul><br />
<p>Generalization could me made that on bachelor level the general<br />
knowledge about the cyber issues are obtained. On master level the<br />
specialization courses are taken and the person can choose more specific<br />
topics to study. It is on master level where strengths of the cyber<br />
specialist can be developed further and up-do date knowledge obtained in<br />
specifics. PhD is serious science and involves teaching, lot of<br />
scientific work and writing for publications.</p><br />
==Salary==<br />
<p>Even if the salary can be very different, compared to the skills and<br />
experience, an generalization can be made. Cyber Security professionals<br />
in CSIRT, and in other entities earn quite well, from the start. First,<br />
some comparison from the United States. The average CSIRT analyst salary<br />
in the USA is $97,500 per year or $50 per hour. Entry level positions<br />
start at $48,875 per year while most experienced workers make up to<br />
$135,373 per year.</p><br />
<p>https://www.talent.com/salary?job=csirt+analyst</p><br />
<p>There are multiple positions you can occupy in this field. They have<br />
in common great salaries and high demand for technical skills, attention<br />
to details, problem-solving mentality, and the ability to analyze risks.<br />
Here are the average annual salaries in the United States, according to<br />
Payscale:</p><br />
<p>https://www.payscale.com/</p><br />
<ul><br />
<li><p>Cryptographer – 100,000 USD</p></li><br />
<li><p>Information Security Officer – 91,000 USD</p></li><br />
<li><p>Security Assessor – 90,000 USD</p></li><br />
<li><p>Security Engineer – 88,000 USD</p></li><br />
<li><p>Penetration Tester – 81,000 USD</p></li><br />
<li><p>Forensics Expert – 71,000 USD</p></li><br />
<li><p>Security Administrator – 65,000 USD</p><br />
<p>https://www.mastersportal.com/articles/2722/why-you-should-study-a-cyber-security-degree-in-2022.html</p><br />
<p>When looking into salaries in Estonia, one can find that there is a<br />
discussion that private sector is taking a toll from the public sector,<br />
and that the salaries in important agencies, as Information System<br />
Authority loose their employees to the better paid positions in private<br />
sector.</p><br />
<p>https://digi.geenius.ee/rubriik/uudis/kui-palju-riigi-jaoks-olulised-it-tootajad-tegelikult-palka-saavad/<br />
https://tehnika.postimees.ee/6887428/riigi-it-tootajate-palgamaarad-kasvasid</p><br />
<p>But there is also a different view that average private sector worker<br />
could be hired as a top specialist in public sector and then the payment<br />
is higher. Nevertheless, it seems that the average payment in cyber<br />
security sector is any way higher that in other parts of the<br />
e-services.</p><br />
<p>https://digi.geenius.ee/rubriik/uudis/5000-eurostest-palkadest-it-tootajad-saavadki-palju-palka/</p></li><br />
</ul><br />
==SOC==<br />
<p>A SOC is a facility where an organization’s network, applications,<br />
and endpoints are monitored and defended. The term was adapted from<br />
network operations centers (NOCs), where large telecommunication or<br />
corporate networks are monitored. When network security became more of a<br />
concern, security teams were formed within the NOCs, and eventually spun<br />
off into larger organizations of their own as the responsibilities of<br />
security teams grew increasingly complex and specialized. The security<br />
staff working in a security operations center are often called the SOC<br />
team.</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<p>Functions of the SOC team include, but are not limited to:</p><br />
<ol type="1"><br />
<li>Taking inventory of resources, to get a better understanding of the<br />
structure they are protecting.</li><br />
<li>Maintanence of the system, by constantly making updates and adding<br />
safeguards.</li><br />
<li>Monitoring the network for abnormalities with special tools.</li><br />
<li>Threat analysis of new attacks and vulnerabilities.</li><br />
<li>Responding to attacks, by acting as “first responders”. The SOC team<br />
will shut down and/or isolate endpoints, deleting files and lowering the<br />
impact as fast as possible.</li><br />
<li>Recovery of system stability and lost data. This may be done using<br />
backups, restarting endpoints or reconfiguring systems.</li><br />
<li>Logging all actions on the system, to be later used for analysis or<br />
forensics after an attack.</li><br />
<li>Investigating the root cause of an attack.</li><br />
<li>Auditing their own actions, to be in line with regulations of the<br />
organization, industry or governing body.</li><br />
</ol><br />
<p>https://www.trellix.com/en-us/security-awareness/operations/what-is-soc.html</p><br />
==CSIRT==<br />
<p>A CSIRT is a group that responds to security incidents when they<br />
occur. Key responsibilities of a CSIRT include:</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<ul><br />
===Creating and maintaining an incident response plan (IRP)===<br />
An incident response plan (IRP) is a set of written instructions for<br />
detecting, responding to and limiting the effects of an information<br />
security event. Incident response plans provide instructions for<br />
responding to many potential scenarios, including data breaches, denial<br />
of service/distributed denial of service attacks, firewall breaches,<br />
virus or malware outbreaks or insider threats. Without an incident<br />
response plan in place, organizations may either not detect the attack<br />
in the first place, or not follow proper protocol to contain the threat<br />
and recover from it when a breach is detected.<br />
<p>https://www.stratacore.com/incidentresponseplan</p></li><br />
===Investigating and analyzing incidents===<br />
CSIRTs are also involved in improvement activities. After major<br />
computer security incidents occur, or when incidents are not handled in<br />
a timely or effective manner, a CSIRT will generally perform a<br />
postmortem of the incident and its response. This postmortem will<br />
identify the strengths and weakness of the response effort. Such reviews<br />
can identify weaknesses and holes in systems, infrastructure defenses,<br />
or policies that allowed the incident to take place. It can also<br />
identify problems with communication channels, interfaces, and<br />
procedures that inhibited the efficient resolution of the reported<br />
problem.<br />
<p>https://www.cisa.gov/uscert/bsi/articles/best-practices/incident-management/defining-computer-security-incident-response-teams</p><br />
<br />
===Managing internal communications and updates during or immediately after incidents occur===<br />
===Communicating with employees, shareholders, customers, and the press about incidents as needed===<br />
<p>There are various services within the CSIRT Services Framework that<br />
address communications, as they relate to security operations and<br />
incident response services. Some of these include Information Security<br />
Incident Coordination, Crisis Management Support, Vulnerability<br />
Disclosure, Situational Awareness Communication, and Awareness Building,<br />
to name a few. Sharing information and communicating with the general<br />
public and/or your constituency is appropriate in many different<br />
scenarios. These can range from proactive communications to reactive<br />
communications. Each scenario may be unique, and careful consideration<br />
should be given to when to release information to the public and what<br />
information should be released.</p><br />
<br />
<p>https://resources.sei.cmu.edu/asset_files/Handbook/2021_002_001_651819.pdf</p><br />
<br />
===Remediating incidents===<br />
<p>Threat remediation is a strong and capable tool for fighting the<br />
cyber security compromises. As the word ‘remedy’ suggests, remediation<br />
process involves the treatment of a security breach. With the<br />
remediation practices, your cyber security team is able to eliminate<br />
suspicious activities and malicious attacks in the form of malware,<br />
ransomware, phishing and such. Even if you ‘kill’ the suspicious<br />
activity, the attackers can remain in your systems. If you want to<br />
contaminate and end the problem for good, your remediation processes<br />
must involve the detection of the cause.</p><br />
<p>https://www.logsign.com/blog/what-is-remediation-in-cyber-security/</p><br />
=== Recommending technology, policy, governance, and training changes after security<br />
incidents===<br />
<p>After all these actions, the SCIRT must contribute to the development<br />
of better policies, practices and has to recommend improvements. They<br />
are not working in the vacuum and their work has to create new and<br />
better standards for cyber security.</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p></li><br />
</ul><br />
==CERT==<br />
<p>The term “computer emergency response team” was coined in 1988. In<br />
response to the Morris worm attack that impacted thousands of servers on<br />
the Internet, DARPA funded the formation of the Computer Emergency<br />
Response Team Coordination Center (CERT-CC) at Carnegie Mellon<br />
University. The goal of CERT-CC was to help protect the internet by<br />
collecting and disseminating information on critical security<br />
vulnerabilities. Several other countries formed similar centers using<br />
the same acronym (despite threats of legal action by Carnegie Mellon for<br />
trademark infringement). Now the term CERT refers to any emergency<br />
response team that deals with cyber threats. Many people use CERT-CC<br />
interchangeably with CSIRT, though the charter of a CERT is information<br />
sharing in order to help other response teams respond to threats against<br />
their own infrastructure.</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<p>In general, the designation of CERT is helpful in applying real-world<br />
solutions to various cybersecurity problems. They may be government<br />
contractors or employees of a major corporation. For example, the U.S.<br />
Computer Emergency Readiness Team (US-CERT) operates under the U.S.<br />
Department of Homeland Security.</p><br />
<p>https://www.techopedia.com/definition/31003/computer-emergency-response-team-cert</p><br />
<p>In Estonia CERT is designated as CERT-EE. It was established in 2006,<br />
as an organization responsible for the management of security incidents<br />
in .ee computer networks. It is also a national contact point for<br />
international co-operation in the field of IT security.</p><br />
<p>https://www.ria.ee/en/cyber-security/cert-ee.html</p><br />
===Difference between SOC/CSIRT/CERT===<br />
<p>How CSIRTs differ from CERTs and SOCs There are overlapping<br />
responsibilities between a community emergency response team (CERT),<br />
computer security incident response team (CSIRT), and security<br />
operations center (SOC). To add to this confusion, frequently, the terms<br />
CERT and CSIRT are used interchangeably, despite the important<br />
differences.</p><br />
<figure><br />
<img src="images/image3.png" alt="Overlapping in images/image3.png" /><br />
<figcaption aria-hidden="true">Overlapping in<br />
images/image3.png</figcaption><br />
</figure><br />
==Understand the primary roles and characteristics of a CERT, CSIRT, and SOC.==<br />
<p>So, using strict definitions, a CERT collects and disseminates<br />
security information, typically for the benefit of a country or an<br />
industry. A CSIRT is a cross-functional team that responds to incidents<br />
on behalf of a country or an organization. A SOC is where a country or<br />
organization monitors and defends its network, servers, applications,<br />
and endpoints.</p><br />
<figure><br />
<img src="images/image4.png" alt="table of explanation images/image4" /><br />
<figcaption aria-hidden="true">table of explanation<br />
images/image4</figcaption><br />
</figure><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
==Future==<br />
<p>And the Cyber security problem is only getting bigger. According to a<br />
report published by Accenture, the number of cyber security breaches<br />
increased by 11 percent from 2017 to 2018. The cost of such breaches is<br />
astronomical–about $600 billion worldwide, according to the Economic<br />
Impact of Cybercrime report.</p><br />
<p>https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me</p><br />
<p>Job projections for cybersecurity are staggering. The Bureau of Labor<br />
Statistics in US predicts that careers in the cybersecurity field will<br />
grow by 32% by 2028. That makes cybersecurity one of the top 10<br />
fastest-growing jobs in the country. In the United States alone, jobs<br />
for Information Security Analysts are expected to grow by 15% by<br />
2024.</p><br />
<p>https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</p><br />
<p>Most likely this trend is also similar in other countries.</p><br />
<p>When checking Estonian job portals, there is a constant need for<br />
people for cyber security related positions. Also, linkedin search gives<br />
approximately 30 vacancies immediately. There are banks, logistics<br />
companies, e-shops, and software producers.</p><br />
<p>https://ee.linkedin.com/jobs/cyber-security-jobs?countryRedirected=1&amp;position=1&amp;pageNum=0</p><br />
<p>Trends that affect companies create need for constant cyber security<br />
services. Increasing number of home/remote offices require secure<br />
corporate networks and security of remote devices. One example is from<br />
this year, when sloppy remote desktop set-up paralyzed systems of 17<br />
companies.</p><br />
<p>https://www.aripaev.ee/uudised/2022/04/20/ria-lohakas-kaugtoolaua-seadistus-halvas-martsis-vahemalt-17-juhul-ettevotete-it-susteemid</p><br />
<p>Also, no service can exists without robust infrastructure - servers,<br />
databases, applications. As all previously mentioned devices and<br />
services are at constant scanning and surveillance. So, the breach<br />
detection and immediate action demands 24/7 services. Even if lot of<br />
things could be automated, there is a need for human specialists (at<br />
least, at the moment). Third growing field is also a forensic<br />
investigation, as every attack must be investigated in order to be ready<br />
to repel next attacks. So data recovery and evidence collection is<br />
another important field of work that need skilled and professional<br />
workers.</p><br />
<p>Even, if the specifics of the entity, be it CSIRT, CERT or SOC, are<br />
different, the fundamentals of the work are the same. Professional<br />
knowledge of the networks, operational systems, hardware, scripting, and<br />
several other wider IT related knowledge is needed. As there is no<br />
single way to reach to it, every single person can find one’s strongest<br />
sides and develop them with knowledge of weaker side, in order to know,<br />
when to as for help.</p><br />
<br />
</body><br />
</html></div>Mavaldhttps://wiki.itcollege.ee/index.php?title=Hiring_a_Cyber_Security_Incident_Analyst&diff=142177Hiring a Cyber Security Incident Analyst2022-05-01T14:37:43Z<p>Mavald: /* Mobile device management */</p>
<hr />
<div>==A Cyber Security Incident Analyst==<br />
<br />
[[File:image1.png|600px|thumb|Job advertisement <ref>"Job Advertisement". Available at https://www.projectpeople.com/jobs/</ref>]]<br />
===Cyber security incident analyst in SOC/CSIRT/CERT===<br />
This article delves into the job title of Cyber Security Incident<br />
Analyst and provides an overview of the acronyms SOC/CSIRT/CERT. A brief<br />
history of the job is discussed here, as well as a possible career path,<br />
education, experience, and other characteristics required for work in<br />
computer security-related organizations. The article also provides a<br />
brief history of SOC/CSIRT/CERT, as well as a comparison of their<br />
differences and similarities.<br />
===Cyber Security Incident Analyst Skill Set===<br />
What skill set is expected from the Cyber Security Incident Analyst? Below written lines are taken from the same job advertisement depicted<br />
on the left side of this article:<br />
As a Security Incident Analyst your responsibilities will include:<br />
<ul><br />
<li>Continuous monitoring of security tooling</li><br />
<li>Performing regular and ad-hoc vulnerability assessments</li><br />
<li>Carrying out ‘spot checks’</li><br />
<li>Reporting vulnerabilities to the PVG via the alerts system</li><br />
<li>Maintaining and documenting logging systems</li><br />
<li>Developing centralized logging, reporting and intelligence<br />
platforms</li><br />
<li>‘Light touch’ penetration testing with open source tooling<br />
(Metasploit)</li><br />
</ul><br />
Knowledge &amp; Experience required:<br />
<ul><br />
<li>SOC, CSIRT or CERT operational environment experience</li><br />
<li>Windows / Linux experience</li><br />
<li>TCP /IP networking protocol knowledge</li><br />
<li>Experience reviewing and analyzing Security Events from various<br />
monitoring and logging sources</li><br />
<li>Experience in website and web application security assessment or<br />
penetration testing</li><br />
<li>Experience of using Metasploit</li><br />
<li>Scripting knowledge using BASH, Python, Perl, Ruby</li><br />
<li>Skills in Host and Network Forensics</li><br />
</ul><br />
As one can see the description of the duties is wide and also the<br />
knowledge and experience that is required is noteworthy. So, where to<br />
start to find out the way to get this kind of knowledge and<br />
expertize.<br />
===Possible career path===<br />
Next part of the paper is aiming to depict a possible ways, how to<br />
develop oneself, and move along the career pathway in cybersecurity<br />
field. Topics of development, education, experience and certification<br />
are covered.<br />
[[File:analystimage2.png|700px|thumb|Career path <ref>"Possible Career Path". Available at https://www.cyberseek.org/pathway.html</ref>]]<br />
<br />
===Junior/Senior===<br />
Start with an entry-level job in IT. Hands-on experience is often the<br />
most effective way to prepare for certification exams. Start<br />
accumulating work experience with an entry-level role as a cybersecurity<br />
analyst. Many cybersecurity professionals start off in more general IT<br />
roles. The skills, practices, and technologies you’ll use as a<br />
cybersecurity professional will continue to evolve along with computer<br />
and network technology. The desire to learn, ability to problem solve,<br />
and attention to detail will serve you well in this field. Other, more<br />
technical skills and technologies to learn include:<ref name="certification">Popular Cyber Security Certificates [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications [Accessed 25 April 2022].</ref><br />
<br />
====SIEM tools (security information and event management)====<br />
Security Information and Event Management (SIEM) is a set of tools<br />
and services offering a holistic view of an organization’s information<br />
security. SIEM works by combining two technologies:<br />
<li>Security information management (SIM), which collects data from log<br />
files for analysis and reports on security threats and events, and</li><br />
<li>security event management (SEM), which conducts real-time system<br />
monitoring, notifies network admins about important issues and<br />
establishes correlations between security events. There are a number of<br />
security information and event management solutions on the market.<br />
ArcSight ESM, IBM QRadar and Splunk are among the most popular. <ref name="SIEM">Application security, SIEM [Online]. Available: https://www.imperva.com/learn/application-security/siem/. [Accessed 27 4 2022].</ref></li><br />
<br />
====Firewalls, Intrusion Detection Systems (IDS), and Intrusion Prevention Systems(IPS)====<br />
Firewalls can be two types, hardware and software firewalls. Software<br />
firewall is a firewall that is installed on a computer or server, and<br />
tasked with network security. It works with a wide variety of other<br />
technology security solutions to provide more robust and cohesive<br />
security for enterprises of all sizes. When a software firewall is<br />
installed on a server, it opens up like an umbrella of protection over<br />
all other computers connected to the network. It is able to monitor both<br />
incoming and outgoing traffic for potential risk or suspicious user<br />
behavior, and also makes setting security policies much easier, faster<br />
and more flexible. Hardware firewall is positioned between the network<br />
and devices, allowing traffic to funnel through the firewall for a close<br />
inspection and analysis. A hardware firewall, a term often<br />
interchangeable with network or next-generation firewall, protects the<br />
network gateways for an enterprise. Hardware firewall is physical<br />
hardware, installed between network elements and connected devices, and<br />
is tasked with filtering traffic for cyber threat to the network or<br />
devices. Filtering out unauthorized or suspicious users based on traffic<br />
analysis is one of the biggest benefits of hardware firewall. <ref name="sangfor">Sangfor, "What is Software Firewall? Difference between Hardware Firewall and Software Firewall, [Online]. Available: https://www.sangfor.com/blog/cybersecurity/what-is-software-firewall-difference-between-hardware-firewall-and-software-firewall [Accessed 26 4 2022].</ref><br />
<br />
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems<br />
(IPS) are both parts of the network infrastructure. IDS/IPS compare<br />
network packets to a cyberthreat database containing known signatures of<br />
cyberattacks — and flag any matching packets. IDS doesn’t alter the<br />
network packets in any way, whereas IPS prevents the packet from<br />
delivery based on the contents of the packet, much like how a firewall<br />
prevents traffic by IP address. <ref name="Varonis">Varonis, "What is Software Firewall? IDS vs. IPS: What is the Difference?, [Online]. Available: https://www.varonis.com/blog/ids-vs-ips [Accessed 26 4 2022].</ref><br />
<br />
====Digital forensics====<br />
Digital forensics is a branch of forensic science that focuses on<br />
identifying, acquiring, processing, analyzing, and reporting on data<br />
stored electronically. Electronic evidence is a component of almost all<br />
criminal activities and digital forensics support is crucial for law<br />
enforcement investigations. Electronic evidence can be collected from a<br />
wide array of sources, such as computers, smartphones, remote storage,<br />
unmanned aerial systems, shipborne equipment, and more.<ref name="interpol">Interpol, "Digital forensics". Available: https://www.interpol.int/How-we-work/Innovation/Digital-forensics. [Accessed 28 4 2022].</ref> <br />
Investigative process of digital forensics can be divided into several stages. There are four major stages: preservation, collection,<br />
examination, and analysis. All these four stages need a deep understanding of computers, technology across a broad spectrum, and cybersecurity principles and<br />
practices, a working knowledge of computers, networks, and coding, in-depth investigative abilities, critical-thinking skills and analytical talent the ability to effectively communicate and work with a<br />
wide range of people. <ref name="ecpi">"Digital forensics". Available: https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me. [Accessed 26 4 2022].</ref><br />
<br />
====Mobile device management====<br />
Mobile device management (MDM) is software that allows IT<br />
administrators to control, secure and enforce policies on smartphones,<br />
tablets and other endpoints. Mobile device management software emerged<br />
in the early 2000s as a way to control and secure the personal digital<br />
assistants and smartphones that business workers began to use. The<br />
consumer smartphone boom that started with the launch of the Apple<br />
iPhone in 2007 led to the bring your own device (BYOD) trend, which<br />
fueled further interest in MDM.<ref name="techtarget">Techtarget, "Mobile Device Management". Available: https://www.techtarget.com/searchmobilecomputing/definition/mobile-device-management [Accessed 27 4 2022].</ref><br />
<br />
====Data management====<br />
Sometimes the data management is neglected, but this part has a<br />
crucial role when learning for good cyber security practices. Majority<br />
of cyber security programs include a special courses on data management.<br />
Data management is a method of organizing and maintaining data processes<br />
that are required in almost every business operations. The benefits of<br />
data management can be found accounting, statistics, logistics planning<br />
and other disciplines including corporate computing.<br />
<p>https://globaluniversities.in/msc-data-management-cyber-security/</p><br />
Data governance (and management) play a fundamental role in<br />
protecting an organization’s data. Ensuring that the right people have<br />
the right access and that appropriate security controls are in place to<br />
protect each system or service, based on the criticality or sensitivity<br />
of the data sets these contain.</p><br />
<p>https://cybersecurity-magazine.com/the-role-of-data-governance-in-cybersecurity/?utm_source=rss&amp;utm_medium=rss&amp;utm_campaign=the-role-of-data-governance-in-cybersecurity</p></li><br />
<br />
<br />
====Application security development====<br />
Application security describes security measures at the application<br />
level that aim to prevent data or code within the app from being stolen<br />
or hijacked. It encompasses the security considerations that happen<br />
during application development and design, but it also involves systems<br />
and approaches to protect apps after they get deployed. Application<br />
security may include hardware, software, and procedures that identify or<br />
minimize security vulnerabilities.<br />
https://www.vmware.com/topics/glossary/content/application-security.html<br />
Application security development is important to ensure that your<br />
application is free from coding errors and bugs. And controls the risk<br />
and helps safeguard against security vulnerabilities. Application<br />
security development is the process of making applications more secure<br />
by finding and fixing security vulnerabilities. This is often done by<br />
enforcing software security best practices and using application<br />
security testing tools.<br />
<p>https://www.perforce.com/blog/kw/application-security-development-best-practices</p><br />
<br />
====Audit and compliance knowledge====<br />
A cyber security audit is designed to be a comprehensive review and<br />
analysis of your business’s IT infrastructure. It identifies threats and<br />
vulnerabilities, exposing weaknesses and high-risk practices.<br />
Regulations such as the EU GDPR (General Data Protection Regulation) can<br />
impose hefty penalties in the event of a breach that results in<br />
exploited data. A cyber security audit will help mitigate the<br />
consequences of a breach and demonstrate that your organization has<br />
taken the necessary steps to protect client and company data.</p><br />
<p>https://cyforsecure.co.uk/services/cyber-assessment/cyber-security-audit/</p><br />
<p>Cybersecurity compliance is the organizational risk management method<br />
aligned with pre-defined security measures &amp; controls on how data<br />
confidentiality is ensured by its administrational procedures.</p><br />
<p>https://nordlayer.com/blog/cybersecurity-compliance-everything-you-need-to-know/</p><br />
<p>All needed skills are developed through courses and<br />
certification.</p></li><br />
</ul><br />
===Entry-Level Incident Response Positions===<br />
<p>It is not always possible to advance to the position of incident<br />
responder in a straight line. Many professionals advance from entry- to<br />
mid-level positions before becoming a real incident responder or a<br />
member of a computer emergency response team (CERT).<br /><br />
These are some examples:</p><br />
<ul><br />
<li><h5 id="network-administrator">Network administrator</h5><br />
<p>This position’s experience will help potential incident responders<br />
develop networking skills. Attention to detail, as well as the ability<br />
to sift through system configurations, site layouts, and general network<br />
and communication setups, are essential in this field.</p></li><br />
<li><h5 id="system-administrator">System administrator</h5><br />
<p>Another crucial beginning point for an incident responder is to learn<br />
how to manage resources inside your organization as well as user<br />
behavior. Understanding the potential damage that users, inadequate<br />
security setups, and ineffective IT policies and procedures can cause on<br />
your network can provide prospective candidates with insight into the<br />
human component of an incident.</p></li><br />
<li><h5 id="security-administrator">Security administrator</h5><br />
<p>In such a position, basic hacking skills, penetration testing, and<br />
intrusion detection are all learned, which are crucial incident<br />
responder skills when trying to replicate a breach or attack.<br />
Understanding the paths a cybercriminal will take when attempting to<br />
damage or obtain access to a system can greatly simplify the work of<br />
reverse engineering the incident.</p></li><br />
</ul><br />
<p>https://resources.infosecinstitute.com/topic/incident-responder-career-roadmap-entry-level-executive/</p><br />
<h3 id="mid-level-incident-response-positions">Mid-Level Incident<br />
Response Positions</h3><br />
<ul><br />
<li><h5<br />
id="computer-security-incident-response-team-csirt-engineer">Computer<br />
security incident response team (CSIRT) engineer</h5></li><br />
<li><h5 id="cyber-incident-responder">Cyber incident responder</h5></li><br />
<li><h5 id="incident-response-engineer">Incident response<br />
engineer</h5></li><br />
</ul><br />
<p>While each of these positions is different, they generally require<br />
very similar skills and characteristics in a candidate. At this level,<br />
personal characteristics such as problem solving, time management, and<br />
even presentation skills become more crucial as one’s career evolves<br />
into a management-facing role.</p><br />
<p>Technical skills include the ability to identify and minimize threats<br />
while maintaining communication with management and the rest of your<br />
team. Data analysis and evidence gathering become increasingly crucial,<br />
and the circumstances in which your services are deployed get more<br />
serious.</p><br />
<p>Problem-solving skills are crucial at this level of incident<br />
response, and as the stakes rise, so does the pressure in each<br />
situation. At this level, programming abilities are essential since<br />
incident responders may be needed to reverse engineer malicious code or<br />
even create patches for vulnerable network applications or services.</p><br />
<p>https://www.coursera.org/articles/popular-cybersecurity-certifications</p><br />
<h3 id="senior-level-incident-response-positions">Senior-Level Incident<br />
Response Positions</h3><br />
<ul><br />
<li><h5 id="intrusion-detection-specialist">Intrusion detection<br />
specialist:</h5></li><br />
</ul><br />
<p>A CISSP certification might help a potential candidate in preparing<br />
for the profession. The role of an intrusion detection specialist is to<br />
find and stop any unwanted communications.</p><br />
<ul><br />
<li><h5 id="incident-manager">Incident manager:</h5></li><br />
</ul><br />
<p>Expected to plan, oversee, manage, and supervise all incident<br />
response team actions. Is in charge of reporting all current events to<br />
senior management and stakeholders, as well as acting as the technical<br />
lead on active incidents for incident responders. Prepares threat and<br />
impact assessments and reports them known to management.</p><br />
<p>https://www.coursera.org/articles/popular-cybersecurity-certifications</p><br />
<br />
==Certificates== <br />
There is a vast number of different certificates and the road map to<br />
being a certified professional could be very different<ref name="Coursera">Coursera, "10 Popular Cybersecurity Certifications [2022 Updated]," [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications. [Accessed 30 Apr 2022].</ref><br />
<ref name="NICCS">NICCS, "Cybersecurity Certifications," [Online]. Available: hhttps://niccs.cisa.gov/about-niccs/cybersecurity-certifications. [Accessed 30 Apr 2022].</ref> . One possible<br />
approach is to start with basic certificates from the different branches<br />
of service and move to more specific and demanding focused<br />
certification. Also, some jobs require certain clearances, either from<br />
industry, or from the government. One small selection of different<br />
possible certificates is brought out in following paragraphs.<br />
<br />
Security+ is a CompTIA certification that is considered a basic cert<br />
among cybersecurity professionals. It covers the topics of risk<br />
management and threat assessment.<br />
Network+ is also offered by CompTIA this certification (like the name<br />
implies) focuses on networking infrastructure and operations. It is<br />
considered a foundational certification.<br />
The Certified Information Systems Security Professional (CISSP) is a<br />
more advanced certification designed for cybersecurity professionals<br />
with at least five years of work experience. The certification covers<br />
topics such as architecture, engineering, and management.</p><br />
The Certified Ethical Hacker (CEH) certification is also considered a<br />
more advanced cert because it generally requires that applicants have<br />
multiple years of work experience. The goal of an ethical hacker<br />
certification is to be able to understand how cyber attacks unfold in<br />
order to improve threat assessment and mitigation skills.<ref name="cyberguide">Cybersecurity Guide, "How to become a cybersecurity specialist", [Online]. Available: https://cybersecurityguide.org/careers/security-specialist/. [Accessed 27 April 2022].</ref><br />
This is definitely not all, when one looks for more information, following link could be searched, to get more in depth knowledge about<br />
different possibilities. Hereby, with the help of this matrix a possible taxonomy of different 436 listed certificates in branches are<br />
presented.<ref name="Pauljeremy">"Cybersecurity Roadmap," [Online]. Available: https://pauljerimy.com/2020/10/12/scr-oct-2020-update/. [Accessed 30 Apr 2022].</ref><br />
<br />
[[File:analystimage5.png|1000px|thumb|Certificate matrix <ref>"Certification roadmap". Available at https://pauljerimy.com/security-certification-roadmap</ref>]]<br />
<br />
=== Communication and Network Security===<br />
Communication and network security covers the ability to secure<br />
communication channels and networks. Topics include secure and converges<br />
protocols, wireless networks, cellular networks, hardware operations<br />
(warranty and redundant power), and third-party connectivity. IP<br />
networking are also included in this domain.<br />
===Identity and Access Management===<br />
The identity and access management domain covers the attacks that<br />
target the human gateway to gain access to data. Other topics include<br />
ways to identify users with rights to access the information and<br />
servers. Identity and access management covers the topics of<br />
applications, Single sign-on authentication, privilege escalation,<br />
Kerberos, rule-based or risk-based access control, proofing and<br />
establishment of identity.<br />
===Security Architecture and Engineering===<br />
The security architecture and engineering domain covers important<br />
topics concerning security engineering plans, designs and principles,<br />
Topics include assessing and mitigating information system<br />
vulnerabilities, fundamental concepts of security models and security<br />
architectures in critical areas like access control. Cloud systems,<br />
cryptography, system infiltrations (ransomware, fault-injection and<br />
more) and virtualized systems are also covered in this domain.<br />
===Asset Security===<br />
The Asset Security domain deals with the issues related to the<br />
collection, storage, maintenance, retention and destruction of data. It<br />
also covers knowledge of different roles regarding data handling (owner,<br />
controller and custodian) as well as data protection methods and data<br />
states. Other topics include resource provision, asset classification<br />
and data lifecycle management.<br />
===Security and Risk Management===<br />
The security and risk management domain covers general on skills<br />
related to the implementation of user awareness programs as well as<br />
security procedures. Emphasis is also placed on risk management<br />
concerning the acquisition of new services, hardware and software<br />
(supply chain). Other skills include social engineering defense<br />
mechanisms.<br />
===Security Assessment and Testing===<br />
The security assessment and testing domain deals with all the<br />
techniques and tools used to find system vulnerabilities, weaknesses and<br />
potential areas of concern not addressed by security procedures and<br />
policies. Attack simulations, vulnerability assessment, compliance<br />
checks, and ethical disclosure also fall under this domain.<br />
===Software Security===<br />
The software development security domain deals with implementing<br />
software-based security protocols within environment for which the IT<br />
professional is responsible. Risk analysis, vulnerability identification<br />
and auditing of source codes are all covered in this subset. Additional<br />
topics include software-designed security, maturity models, development<br />
methodologies, open-source and third-party development security.<br />
===Security operations===<br />
The security operations domain covers topics ranging from<br />
investigations and digital forensic to detection and intrusion<br />
prevention tools, sandboxing and firewalls. Topics include user and<br />
entity behavior analytics, threat intelligence (threat hunting and<br />
threat feeds) log management, artifacts (mobile, computer and network),<br />
machine learning and AI-based tools, penetration testing, and<br />
exploitation development. These for sub-domains are lister here.</p><br />
<li>Forensics</li><br />
<li>Incident Handling</li><br />
<li>Penetration Testing</li><br />
<li>Exploitation</li><br />
<br />
==Education==<br />
<p>The entry level monitoring specialist is hired by Estonian<br />
Information System Authority even if there is no formal IT education,<br />
but readiness to learn and moderate knowledge of different operation<br />
systems is enough to start the career.</p><br />
<p>https://www.cv.ee/en/vacancy/792782/riigi-infosusteemi-amet/seirespetsialist-tule-eesti-kuberruumi-valvuriks</p><br />
<p>Nevertheless, like most other high qualification careers jobs falling<br />
under the cybersecurity specialist category require some form of formal<br />
education. However, since cybersecurity specialist jobs can fall across<br />
a wide spectrum of job descriptions and responsibilities, it is possible<br />
to obtain a specialist job after completing many levels of different<br />
computer related education.</p><br />
<p>If one is looking for a cybersecurity related education, for example<br />
in EU, 137 courses/programs could be found that relate to keyword IT or<br />
cybersecurity.</p><br />
<p>https://www.enisa.europa.eu/topics/cybersecurity-education/education-map/education-courses</p><br />
<p>Also, there is a great amount of discussion, if cuber security<br />
professional should have a degree or would be certification just enough.<br />
One interesting table is produces by Franklin University that compares<br />
benefits and/or drawbacks of each type of credential.</p><br />
<figure><br />
<img src="images/image11.png" alt="Comparison MSc vs certificate" /><br />
<figcaption aria-hidden="true">Comparison MSc vs<br />
certificate</figcaption><br />
</figure><br />
<p>Certifications are generally good for people with little practical<br />
experience because they are known quantities in the industry and can<br />
help you get your foot in the door. They set a minimum knowledge bar.<br />
But some certifications are viewed more favorably than others.<br />
Certifications with renewal requirements are viewed better by hiring<br />
managers, but they also more costly in the long run because of the need<br />
for continuing education. Certifications are also good for showing<br />
in-depth expertise in a specialization within cybersecurity. Depending<br />
on your career goals, it may be advantageous to have a master’s<br />
degree—which shows your breadth of knowledge, critical thinking and<br />
leadership skills—and a certificate—which shows specific skill<br />
competency.</p><br />
<p>https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</p><br />
<p>As IT (Cyber) Security is still a relatively young discipline,<br />
universities and colleges are still figuring out which is the best<br />
approach for their degrees. Study programmes and curricula in Cyber<br />
Security are different. In general, here are the duration of Cyber<br />
Security degrees:</p><br />
<ul><br />
<li><p>Bachelor’s degrees in Cyber Security take 3 or 4 years in most<br />
countries.</p></li><br />
<li><p>Master’s courses in Cyber Security take between 1-2 years to<br />
complete.</p></li><br />
<li><p>PhD programmes in Cyber Security last 3-5 years. Some only take 1<br />
or 2 years, but they are less common.</p><br />
<p>https://www.mastersportal.com/articles/2722/why-you-should-study-a-cyber-security-degree-in-2022.html</p></li><br />
</ul><br />
<p>Generalization could me made that on bachelor level the general<br />
knowledge about the cyber issues are obtained. On master level the<br />
specialization courses are taken and the person can choose more specific<br />
topics to study. It is on master level where strengths of the cyber<br />
specialist can be developed further and up-do date knowledge obtained in<br />
specifics. PhD is serious science and involves teaching, lot of<br />
scientific work and writing for publications.</p><br />
==Salary==<br />
<p>Even if the salary can be very different, compared to the skills and<br />
experience, an generalization can be made. Cyber Security professionals<br />
in CSIRT, and in other entities earn quite well, from the start. First,<br />
some comparison from the United States. The average CSIRT analyst salary<br />
in the USA is $97,500 per year or $50 per hour. Entry level positions<br />
start at $48,875 per year while most experienced workers make up to<br />
$135,373 per year.</p><br />
<p>https://www.talent.com/salary?job=csirt+analyst</p><br />
<p>There are multiple positions you can occupy in this field. They have<br />
in common great salaries and high demand for technical skills, attention<br />
to details, problem-solving mentality, and the ability to analyze risks.<br />
Here are the average annual salaries in the United States, according to<br />
Payscale:</p><br />
<p>https://www.payscale.com/</p><br />
<ul><br />
<li><p>Cryptographer – 100,000 USD</p></li><br />
<li><p>Information Security Officer – 91,000 USD</p></li><br />
<li><p>Security Assessor – 90,000 USD</p></li><br />
<li><p>Security Engineer – 88,000 USD</p></li><br />
<li><p>Penetration Tester – 81,000 USD</p></li><br />
<li><p>Forensics Expert – 71,000 USD</p></li><br />
<li><p>Security Administrator – 65,000 USD</p><br />
<p>https://www.mastersportal.com/articles/2722/why-you-should-study-a-cyber-security-degree-in-2022.html</p><br />
<p>When looking into salaries in Estonia, one can find that there is a<br />
discussion that private sector is taking a toll from the public sector,<br />
and that the salaries in important agencies, as Information System<br />
Authority loose their employees to the better paid positions in private<br />
sector.</p><br />
<p>https://digi.geenius.ee/rubriik/uudis/kui-palju-riigi-jaoks-olulised-it-tootajad-tegelikult-palka-saavad/<br />
https://tehnika.postimees.ee/6887428/riigi-it-tootajate-palgamaarad-kasvasid</p><br />
<p>But there is also a different view that average private sector worker<br />
could be hired as a top specialist in public sector and then the payment<br />
is higher. Nevertheless, it seems that the average payment in cyber<br />
security sector is any way higher that in other parts of the<br />
e-services.</p><br />
<p>https://digi.geenius.ee/rubriik/uudis/5000-eurostest-palkadest-it-tootajad-saavadki-palju-palka/</p></li><br />
</ul><br />
==SOC==<br />
<p>A SOC is a facility where an organization’s network, applications,<br />
and endpoints are monitored and defended. The term was adapted from<br />
network operations centers (NOCs), where large telecommunication or<br />
corporate networks are monitored. When network security became more of a<br />
concern, security teams were formed within the NOCs, and eventually spun<br />
off into larger organizations of their own as the responsibilities of<br />
security teams grew increasingly complex and specialized. The security<br />
staff working in a security operations center are often called the SOC<br />
team.</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<p>Functions of the SOC team include, but are not limited to:</p><br />
<ol type="1"><br />
<li>Taking inventory of resources, to get a better understanding of the<br />
structure they are protecting.</li><br />
<li>Maintanence of the system, by constantly making updates and adding<br />
safeguards.</li><br />
<li>Monitoring the network for abnormalities with special tools.</li><br />
<li>Threat analysis of new attacks and vulnerabilities.</li><br />
<li>Responding to attacks, by acting as “first responders”. The SOC team<br />
will shut down and/or isolate endpoints, deleting files and lowering the<br />
impact as fast as possible.</li><br />
<li>Recovery of system stability and lost data. This may be done using<br />
backups, restarting endpoints or reconfiguring systems.</li><br />
<li>Logging all actions on the system, to be later used for analysis or<br />
forensics after an attack.</li><br />
<li>Investigating the root cause of an attack.</li><br />
<li>Auditing their own actions, to be in line with regulations of the<br />
organization, industry or governing body.</li><br />
</ol><br />
<p>https://www.trellix.com/en-us/security-awareness/operations/what-is-soc.html</p><br />
==CSIRT==<br />
<p>A CSIRT is a group that responds to security incidents when they<br />
occur. Key responsibilities of a CSIRT include:</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<ul><br />
===Creating and maintaining an incident response plan (IRP)===<br />
An incident response plan (IRP) is a set of written instructions for<br />
detecting, responding to and limiting the effects of an information<br />
security event. Incident response plans provide instructions for<br />
responding to many potential scenarios, including data breaches, denial<br />
of service/distributed denial of service attacks, firewall breaches,<br />
virus or malware outbreaks or insider threats. Without an incident<br />
response plan in place, organizations may either not detect the attack<br />
in the first place, or not follow proper protocol to contain the threat<br />
and recover from it when a breach is detected.<br />
<p>https://www.stratacore.com/incidentresponseplan</p></li><br />
===Investigating and analyzing incidents===<br />
CSIRTs are also involved in improvement activities. After major<br />
computer security incidents occur, or when incidents are not handled in<br />
a timely or effective manner, a CSIRT will generally perform a<br />
postmortem of the incident and its response. This postmortem will<br />
identify the strengths and weakness of the response effort. Such reviews<br />
can identify weaknesses and holes in systems, infrastructure defenses,<br />
or policies that allowed the incident to take place. It can also<br />
identify problems with communication channels, interfaces, and<br />
procedures that inhibited the efficient resolution of the reported<br />
problem.<br />
<p>https://www.cisa.gov/uscert/bsi/articles/best-practices/incident-management/defining-computer-security-incident-response-teams</p><br />
<br />
===Managing internal communications and updates during or immediately after incidents occur===<br />
===Communicating with employees, shareholders, customers, and the press about incidents as needed===<br />
<p>There are various services within the CSIRT Services Framework that<br />
address communications, as they relate to security operations and<br />
incident response services. Some of these include Information Security<br />
Incident Coordination, Crisis Management Support, Vulnerability<br />
Disclosure, Situational Awareness Communication, and Awareness Building,<br />
to name a few. Sharing information and communicating with the general<br />
public and/or your constituency is appropriate in many different<br />
scenarios. These can range from proactive communications to reactive<br />
communications. Each scenario may be unique, and careful consideration<br />
should be given to when to release information to the public and what<br />
information should be released.</p><br />
<br />
<p>https://resources.sei.cmu.edu/asset_files/Handbook/2021_002_001_651819.pdf</p><br />
<br />
===Remediating incidents===<br />
<p>Threat remediation is a strong and capable tool for fighting the<br />
cyber security compromises. As the word ‘remedy’ suggests, remediation<br />
process involves the treatment of a security breach. With the<br />
remediation practices, your cyber security team is able to eliminate<br />
suspicious activities and malicious attacks in the form of malware,<br />
ransomware, phishing and such. Even if you ‘kill’ the suspicious<br />
activity, the attackers can remain in your systems. If you want to<br />
contaminate and end the problem for good, your remediation processes<br />
must involve the detection of the cause.</p><br />
<p>https://www.logsign.com/blog/what-is-remediation-in-cyber-security/</p><br />
=== Recommending technology, policy, governance, and training changes after security<br />
incidents===<br />
<p>After all these actions, the SCIRT must contribute to the development<br />
of better policies, practices and has to recommend improvements. They<br />
are not working in the vacuum and their work has to create new and<br />
better standards for cyber security.</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p></li><br />
</ul><br />
==CERT==<br />
<p>The term “computer emergency response team” was coined in 1988. In<br />
response to the Morris worm attack that impacted thousands of servers on<br />
the Internet, DARPA funded the formation of the Computer Emergency<br />
Response Team Coordination Center (CERT-CC) at Carnegie Mellon<br />
University. The goal of CERT-CC was to help protect the internet by<br />
collecting and disseminating information on critical security<br />
vulnerabilities. Several other countries formed similar centers using<br />
the same acronym (despite threats of legal action by Carnegie Mellon for<br />
trademark infringement). Now the term CERT refers to any emergency<br />
response team that deals with cyber threats. Many people use CERT-CC<br />
interchangeably with CSIRT, though the charter of a CERT is information<br />
sharing in order to help other response teams respond to threats against<br />
their own infrastructure.</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<p>In general, the designation of CERT is helpful in applying real-world<br />
solutions to various cybersecurity problems. They may be government<br />
contractors or employees of a major corporation. For example, the U.S.<br />
Computer Emergency Readiness Team (US-CERT) operates under the U.S.<br />
Department of Homeland Security.</p><br />
<p>https://www.techopedia.com/definition/31003/computer-emergency-response-team-cert</p><br />
<p>In Estonia CERT is designated as CERT-EE. It was established in 2006,<br />
as an organization responsible for the management of security incidents<br />
in .ee computer networks. It is also a national contact point for<br />
international co-operation in the field of IT security.</p><br />
<p>https://www.ria.ee/en/cyber-security/cert-ee.html</p><br />
===Difference between SOC/CSIRT/CERT===<br />
<p>How CSIRTs differ from CERTs and SOCs There are overlapping<br />
responsibilities between a community emergency response team (CERT),<br />
computer security incident response team (CSIRT), and security<br />
operations center (SOC). To add to this confusion, frequently, the terms<br />
CERT and CSIRT are used interchangeably, despite the important<br />
differences.</p><br />
<figure><br />
<img src="images/image3.png" alt="Overlapping in images/image3.png" /><br />
<figcaption aria-hidden="true">Overlapping in<br />
images/image3.png</figcaption><br />
</figure><br />
==Understand the primary roles and characteristics of a CERT, CSIRT, and SOC.==<br />
<p>So, using strict definitions, a CERT collects and disseminates<br />
security information, typically for the benefit of a country or an<br />
industry. A CSIRT is a cross-functional team that responds to incidents<br />
on behalf of a country or an organization. A SOC is where a country or<br />
organization monitors and defends its network, servers, applications,<br />
and endpoints.</p><br />
<figure><br />
<img src="images/image4.png" alt="table of explanation images/image4" /><br />
<figcaption aria-hidden="true">table of explanation<br />
images/image4</figcaption><br />
</figure><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
==Future==<br />
<p>And the Cyber security problem is only getting bigger. According to a<br />
report published by Accenture, the number of cyber security breaches<br />
increased by 11 percent from 2017 to 2018. The cost of such breaches is<br />
astronomical–about $600 billion worldwide, according to the Economic<br />
Impact of Cybercrime report.</p><br />
<p>https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me</p><br />
<p>Job projections for cybersecurity are staggering. The Bureau of Labor<br />
Statistics in US predicts that careers in the cybersecurity field will<br />
grow by 32% by 2028. That makes cybersecurity one of the top 10<br />
fastest-growing jobs in the country. In the United States alone, jobs<br />
for Information Security Analysts are expected to grow by 15% by<br />
2024.</p><br />
<p>https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</p><br />
<p>Most likely this trend is also similar in other countries.</p><br />
<p>When checking Estonian job portals, there is a constant need for<br />
people for cyber security related positions. Also, linkedin search gives<br />
approximately 30 vacancies immediately. There are banks, logistics<br />
companies, e-shops, and software producers.</p><br />
<p>https://ee.linkedin.com/jobs/cyber-security-jobs?countryRedirected=1&amp;position=1&amp;pageNum=0</p><br />
<p>Trends that affect companies create need for constant cyber security<br />
services. Increasing number of home/remote offices require secure<br />
corporate networks and security of remote devices. One example is from<br />
this year, when sloppy remote desktop set-up paralyzed systems of 17<br />
companies.</p><br />
<p>https://www.aripaev.ee/uudised/2022/04/20/ria-lohakas-kaugtoolaua-seadistus-halvas-martsis-vahemalt-17-juhul-ettevotete-it-susteemid</p><br />
<p>Also, no service can exists without robust infrastructure - servers,<br />
databases, applications. As all previously mentioned devices and<br />
services are at constant scanning and surveillance. So, the breach<br />
detection and immediate action demands 24/7 services. Even if lot of<br />
things could be automated, there is a need for human specialists (at<br />
least, at the moment). Third growing field is also a forensic<br />
investigation, as every attack must be investigated in order to be ready<br />
to repel next attacks. So data recovery and evidence collection is<br />
another important field of work that need skilled and professional<br />
workers.</p><br />
<p>Even, if the specifics of the entity, be it CSIRT, CERT or SOC, are<br />
different, the fundamentals of the work are the same. Professional<br />
knowledge of the networks, operational systems, hardware, scripting, and<br />
several other wider IT related knowledge is needed. As there is no<br />
single way to reach to it, every single person can find one’s strongest<br />
sides and develop them with knowledge of weaker side, in order to know,<br />
when to as for help.</p><br />
<br />
</body><br />
</html></div>Mavaldhttps://wiki.itcollege.ee/index.php?title=Hiring_a_Cyber_Security_Incident_Analyst&diff=142176Hiring a Cyber Security Incident Analyst2022-05-01T14:34:13Z<p>Mavald: /* Digital forensics */</p>
<hr />
<div>==A Cyber Security Incident Analyst==<br />
<br />
[[File:image1.png|600px|thumb|Job advertisement <ref>"Job Advertisement". Available at https://www.projectpeople.com/jobs/</ref>]]<br />
===Cyber security incident analyst in SOC/CSIRT/CERT===<br />
This article delves into the job title of Cyber Security Incident<br />
Analyst and provides an overview of the acronyms SOC/CSIRT/CERT. A brief<br />
history of the job is discussed here, as well as a possible career path,<br />
education, experience, and other characteristics required for work in<br />
computer security-related organizations. The article also provides a<br />
brief history of SOC/CSIRT/CERT, as well as a comparison of their<br />
differences and similarities.<br />
===Cyber Security Incident Analyst Skill Set===<br />
What skill set is expected from the Cyber Security Incident Analyst? Below written lines are taken from the same job advertisement depicted<br />
on the left side of this article:<br />
As a Security Incident Analyst your responsibilities will include:<br />
<ul><br />
<li>Continuous monitoring of security tooling</li><br />
<li>Performing regular and ad-hoc vulnerability assessments</li><br />
<li>Carrying out ‘spot checks’</li><br />
<li>Reporting vulnerabilities to the PVG via the alerts system</li><br />
<li>Maintaining and documenting logging systems</li><br />
<li>Developing centralized logging, reporting and intelligence<br />
platforms</li><br />
<li>‘Light touch’ penetration testing with open source tooling<br />
(Metasploit)</li><br />
</ul><br />
Knowledge &amp; Experience required:<br />
<ul><br />
<li>SOC, CSIRT or CERT operational environment experience</li><br />
<li>Windows / Linux experience</li><br />
<li>TCP /IP networking protocol knowledge</li><br />
<li>Experience reviewing and analyzing Security Events from various<br />
monitoring and logging sources</li><br />
<li>Experience in website and web application security assessment or<br />
penetration testing</li><br />
<li>Experience of using Metasploit</li><br />
<li>Scripting knowledge using BASH, Python, Perl, Ruby</li><br />
<li>Skills in Host and Network Forensics</li><br />
</ul><br />
As one can see the description of the duties is wide and also the<br />
knowledge and experience that is required is noteworthy. So, where to<br />
start to find out the way to get this kind of knowledge and<br />
expertize.<br />
===Possible career path===<br />
Next part of the paper is aiming to depict a possible ways, how to<br />
develop oneself, and move along the career pathway in cybersecurity<br />
field. Topics of development, education, experience and certification<br />
are covered.<br />
[[File:analystimage2.png|700px|thumb|Career path <ref>"Possible Career Path". Available at https://www.cyberseek.org/pathway.html</ref>]]<br />
<br />
===Junior/Senior===<br />
Start with an entry-level job in IT. Hands-on experience is often the<br />
most effective way to prepare for certification exams. Start<br />
accumulating work experience with an entry-level role as a cybersecurity<br />
analyst. Many cybersecurity professionals start off in more general IT<br />
roles. The skills, practices, and technologies you’ll use as a<br />
cybersecurity professional will continue to evolve along with computer<br />
and network technology. The desire to learn, ability to problem solve,<br />
and attention to detail will serve you well in this field. Other, more<br />
technical skills and technologies to learn include:<ref name="certification">Popular Cyber Security Certificates [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications [Accessed 25 April 2022].</ref><br />
<br />
====SIEM tools (security information and event management)====<br />
Security Information and Event Management (SIEM) is a set of tools<br />
and services offering a holistic view of an organization’s information<br />
security. SIEM works by combining two technologies:<br />
<li>Security information management (SIM), which collects data from log<br />
files for analysis and reports on security threats and events, and</li><br />
<li>security event management (SEM), which conducts real-time system<br />
monitoring, notifies network admins about important issues and<br />
establishes correlations between security events. There are a number of<br />
security information and event management solutions on the market.<br />
ArcSight ESM, IBM QRadar and Splunk are among the most popular. <ref name="SIEM">Application security, SIEM [Online]. Available: https://www.imperva.com/learn/application-security/siem/. [Accessed 27 4 2022].</ref></li><br />
<br />
====Firewalls, Intrusion Detection Systems (IDS), and Intrusion Prevention Systems(IPS)====<br />
Firewalls can be two types, hardware and software firewalls. Software<br />
firewall is a firewall that is installed on a computer or server, and<br />
tasked with network security. It works with a wide variety of other<br />
technology security solutions to provide more robust and cohesive<br />
security for enterprises of all sizes. When a software firewall is<br />
installed on a server, it opens up like an umbrella of protection over<br />
all other computers connected to the network. It is able to monitor both<br />
incoming and outgoing traffic for potential risk or suspicious user<br />
behavior, and also makes setting security policies much easier, faster<br />
and more flexible. Hardware firewall is positioned between the network<br />
and devices, allowing traffic to funnel through the firewall for a close<br />
inspection and analysis. A hardware firewall, a term often<br />
interchangeable with network or next-generation firewall, protects the<br />
network gateways for an enterprise. Hardware firewall is physical<br />
hardware, installed between network elements and connected devices, and<br />
is tasked with filtering traffic for cyber threat to the network or<br />
devices. Filtering out unauthorized or suspicious users based on traffic<br />
analysis is one of the biggest benefits of hardware firewall. <ref name="sangfor">Sangfor, "What is Software Firewall? Difference between Hardware Firewall and Software Firewall, [Online]. Available: https://www.sangfor.com/blog/cybersecurity/what-is-software-firewall-difference-between-hardware-firewall-and-software-firewall [Accessed 26 4 2022].</ref><br />
<br />
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems<br />
(IPS) are both parts of the network infrastructure. IDS/IPS compare<br />
network packets to a cyberthreat database containing known signatures of<br />
cyberattacks — and flag any matching packets. IDS doesn’t alter the<br />
network packets in any way, whereas IPS prevents the packet from<br />
delivery based on the contents of the packet, much like how a firewall<br />
prevents traffic by IP address. <ref name="Varonis">Varonis, "What is Software Firewall? IDS vs. IPS: What is the Difference?, [Online]. Available: https://www.varonis.com/blog/ids-vs-ips [Accessed 26 4 2022].</ref><br />
<br />
====Digital forensics====<br />
Digital forensics is a branch of forensic science that focuses on<br />
identifying, acquiring, processing, analyzing, and reporting on data<br />
stored electronically. Electronic evidence is a component of almost all<br />
criminal activities and digital forensics support is crucial for law<br />
enforcement investigations. Electronic evidence can be collected from a<br />
wide array of sources, such as computers, smartphones, remote storage,<br />
unmanned aerial systems, shipborne equipment, and more.<ref name="interpol">Interpol, "Digital forensics". Available: https://www.interpol.int/How-we-work/Innovation/Digital-forensics. [Accessed 28 4 2022].</ref> <br />
Investigative process of digital forensics can be divided into several stages. There are four major stages: preservation, collection,<br />
examination, and analysis. All these four stages need a deep understanding of computers, technology across a broad spectrum, and cybersecurity principles and<br />
practices, a working knowledge of computers, networks, and coding, in-depth investigative abilities, critical-thinking skills and analytical talent the ability to effectively communicate and work with a<br />
wide range of people. <ref name="ecpi">"Digital forensics". Available: https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me. [Accessed 26 4 2022].</ref><br />
<br />
====Mobile device management====<br />
Mobile device management (MDM) is software that allows IT<br />
administrators to control, secure and enforce policies on smartphones,<br />
tablets and other endpoints. Mobile device management software emerged<br />
in the early 2000s as a way to control and secure the personal digital<br />
assistants and smartphones that business workers began to use. The<br />
consumer smartphone boom that started with the launch of the Apple<br />
iPhone in 2007 led to the bring your own device (BYOD) trend, which<br />
fueled further interest in MDM.<br />
<p>https://www.techtarget.com/searchmobilecomputing/definition/mobile-device-management</p></li><br />
<br />
====Data management====<br />
Sometimes the data management is neglected, but this part has a<br />
crucial role when learning for good cyber security practices. Majority<br />
of cyber security programs include a special courses on data management.<br />
Data management is a method of organizing and maintaining data processes<br />
that are required in almost every business operations. The benefits of<br />
data management can be found accounting, statistics, logistics planning<br />
and other disciplines including corporate computing.<br />
<p>https://globaluniversities.in/msc-data-management-cyber-security/</p><br />
Data governance (and management) play a fundamental role in<br />
protecting an organization’s data. Ensuring that the right people have<br />
the right access and that appropriate security controls are in place to<br />
protect each system or service, based on the criticality or sensitivity<br />
of the data sets these contain.</p><br />
<p>https://cybersecurity-magazine.com/the-role-of-data-governance-in-cybersecurity/?utm_source=rss&amp;utm_medium=rss&amp;utm_campaign=the-role-of-data-governance-in-cybersecurity</p></li><br />
<br />
<br />
====Application security development====<br />
Application security describes security measures at the application<br />
level that aim to prevent data or code within the app from being stolen<br />
or hijacked. It encompasses the security considerations that happen<br />
during application development and design, but it also involves systems<br />
and approaches to protect apps after they get deployed. Application<br />
security may include hardware, software, and procedures that identify or<br />
minimize security vulnerabilities.<br />
https://www.vmware.com/topics/glossary/content/application-security.html<br />
Application security development is important to ensure that your<br />
application is free from coding errors and bugs. And controls the risk<br />
and helps safeguard against security vulnerabilities. Application<br />
security development is the process of making applications more secure<br />
by finding and fixing security vulnerabilities. This is often done by<br />
enforcing software security best practices and using application<br />
security testing tools.<br />
<p>https://www.perforce.com/blog/kw/application-security-development-best-practices</p><br />
<br />
====Audit and compliance knowledge====<br />
A cyber security audit is designed to be a comprehensive review and<br />
analysis of your business’s IT infrastructure. It identifies threats and<br />
vulnerabilities, exposing weaknesses and high-risk practices.<br />
Regulations such as the EU GDPR (General Data Protection Regulation) can<br />
impose hefty penalties in the event of a breach that results in<br />
exploited data. A cyber security audit will help mitigate the<br />
consequences of a breach and demonstrate that your organization has<br />
taken the necessary steps to protect client and company data.</p><br />
<p>https://cyforsecure.co.uk/services/cyber-assessment/cyber-security-audit/</p><br />
<p>Cybersecurity compliance is the organizational risk management method<br />
aligned with pre-defined security measures &amp; controls on how data<br />
confidentiality is ensured by its administrational procedures.</p><br />
<p>https://nordlayer.com/blog/cybersecurity-compliance-everything-you-need-to-know/</p><br />
<p>All needed skills are developed through courses and<br />
certification.</p></li><br />
</ul><br />
===Entry-Level Incident Response Positions===<br />
<p>It is not always possible to advance to the position of incident<br />
responder in a straight line. Many professionals advance from entry- to<br />
mid-level positions before becoming a real incident responder or a<br />
member of a computer emergency response team (CERT).<br /><br />
These are some examples:</p><br />
<ul><br />
<li><h5 id="network-administrator">Network administrator</h5><br />
<p>This position’s experience will help potential incident responders<br />
develop networking skills. Attention to detail, as well as the ability<br />
to sift through system configurations, site layouts, and general network<br />
and communication setups, are essential in this field.</p></li><br />
<li><h5 id="system-administrator">System administrator</h5><br />
<p>Another crucial beginning point for an incident responder is to learn<br />
how to manage resources inside your organization as well as user<br />
behavior. Understanding the potential damage that users, inadequate<br />
security setups, and ineffective IT policies and procedures can cause on<br />
your network can provide prospective candidates with insight into the<br />
human component of an incident.</p></li><br />
<li><h5 id="security-administrator">Security administrator</h5><br />
<p>In such a position, basic hacking skills, penetration testing, and<br />
intrusion detection are all learned, which are crucial incident<br />
responder skills when trying to replicate a breach or attack.<br />
Understanding the paths a cybercriminal will take when attempting to<br />
damage or obtain access to a system can greatly simplify the work of<br />
reverse engineering the incident.</p></li><br />
</ul><br />
<p>https://resources.infosecinstitute.com/topic/incident-responder-career-roadmap-entry-level-executive/</p><br />
<h3 id="mid-level-incident-response-positions">Mid-Level Incident<br />
Response Positions</h3><br />
<ul><br />
<li><h5<br />
id="computer-security-incident-response-team-csirt-engineer">Computer<br />
security incident response team (CSIRT) engineer</h5></li><br />
<li><h5 id="cyber-incident-responder">Cyber incident responder</h5></li><br />
<li><h5 id="incident-response-engineer">Incident response<br />
engineer</h5></li><br />
</ul><br />
<p>While each of these positions is different, they generally require<br />
very similar skills and characteristics in a candidate. At this level,<br />
personal characteristics such as problem solving, time management, and<br />
even presentation skills become more crucial as one’s career evolves<br />
into a management-facing role.</p><br />
<p>Technical skills include the ability to identify and minimize threats<br />
while maintaining communication with management and the rest of your<br />
team. Data analysis and evidence gathering become increasingly crucial,<br />
and the circumstances in which your services are deployed get more<br />
serious.</p><br />
<p>Problem-solving skills are crucial at this level of incident<br />
response, and as the stakes rise, so does the pressure in each<br />
situation. At this level, programming abilities are essential since<br />
incident responders may be needed to reverse engineer malicious code or<br />
even create patches for vulnerable network applications or services.</p><br />
<p>https://www.coursera.org/articles/popular-cybersecurity-certifications</p><br />
<h3 id="senior-level-incident-response-positions">Senior-Level Incident<br />
Response Positions</h3><br />
<ul><br />
<li><h5 id="intrusion-detection-specialist">Intrusion detection<br />
specialist:</h5></li><br />
</ul><br />
<p>A CISSP certification might help a potential candidate in preparing<br />
for the profession. The role of an intrusion detection specialist is to<br />
find and stop any unwanted communications.</p><br />
<ul><br />
<li><h5 id="incident-manager">Incident manager:</h5></li><br />
</ul><br />
<p>Expected to plan, oversee, manage, and supervise all incident<br />
response team actions. Is in charge of reporting all current events to<br />
senior management and stakeholders, as well as acting as the technical<br />
lead on active incidents for incident responders. Prepares threat and<br />
impact assessments and reports them known to management.</p><br />
<p>https://www.coursera.org/articles/popular-cybersecurity-certifications</p><br />
<br />
==Certificates== <br />
There is a vast number of different certificates and the road map to<br />
being a certified professional could be very different<ref name="Coursera">Coursera, "10 Popular Cybersecurity Certifications [2022 Updated]," [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications. [Accessed 30 Apr 2022].</ref><br />
<ref name="NICCS">NICCS, "Cybersecurity Certifications," [Online]. Available: hhttps://niccs.cisa.gov/about-niccs/cybersecurity-certifications. [Accessed 30 Apr 2022].</ref> . One possible<br />
approach is to start with basic certificates from the different branches<br />
of service and move to more specific and demanding focused<br />
certification. Also, some jobs require certain clearances, either from<br />
industry, or from the government. One small selection of different<br />
possible certificates is brought out in following paragraphs.<br />
<br />
Security+ is a CompTIA certification that is considered a basic cert<br />
among cybersecurity professionals. It covers the topics of risk<br />
management and threat assessment.<br />
Network+ is also offered by CompTIA this certification (like the name<br />
implies) focuses on networking infrastructure and operations. It is<br />
considered a foundational certification.<br />
The Certified Information Systems Security Professional (CISSP) is a<br />
more advanced certification designed for cybersecurity professionals<br />
with at least five years of work experience. The certification covers<br />
topics such as architecture, engineering, and management.</p><br />
The Certified Ethical Hacker (CEH) certification is also considered a<br />
more advanced cert because it generally requires that applicants have<br />
multiple years of work experience. The goal of an ethical hacker<br />
certification is to be able to understand how cyber attacks unfold in<br />
order to improve threat assessment and mitigation skills.<ref name="cyberguide">Cybersecurity Guide, "How to become a cybersecurity specialist", [Online]. Available: https://cybersecurityguide.org/careers/security-specialist/. [Accessed 27 April 2022].</ref><br />
This is definitely not all, when one looks for more information, following link could be searched, to get more in depth knowledge about<br />
different possibilities. Hereby, with the help of this matrix a possible taxonomy of different 436 listed certificates in branches are<br />
presented.<ref name="Pauljeremy">"Cybersecurity Roadmap," [Online]. Available: https://pauljerimy.com/2020/10/12/scr-oct-2020-update/. [Accessed 30 Apr 2022].</ref><br />
<br />
[[File:analystimage5.png|1000px|thumb|Certificate matrix <ref>"Certification roadmap". Available at https://pauljerimy.com/security-certification-roadmap</ref>]]<br />
<br />
=== Communication and Network Security===<br />
Communication and network security covers the ability to secure<br />
communication channels and networks. Topics include secure and converges<br />
protocols, wireless networks, cellular networks, hardware operations<br />
(warranty and redundant power), and third-party connectivity. IP<br />
networking are also included in this domain.<br />
===Identity and Access Management===<br />
The identity and access management domain covers the attacks that<br />
target the human gateway to gain access to data. Other topics include<br />
ways to identify users with rights to access the information and<br />
servers. Identity and access management covers the topics of<br />
applications, Single sign-on authentication, privilege escalation,<br />
Kerberos, rule-based or risk-based access control, proofing and<br />
establishment of identity.<br />
===Security Architecture and Engineering===<br />
The security architecture and engineering domain covers important<br />
topics concerning security engineering plans, designs and principles,<br />
Topics include assessing and mitigating information system<br />
vulnerabilities, fundamental concepts of security models and security<br />
architectures in critical areas like access control. Cloud systems,<br />
cryptography, system infiltrations (ransomware, fault-injection and<br />
more) and virtualized systems are also covered in this domain.<br />
===Asset Security===<br />
The Asset Security domain deals with the issues related to the<br />
collection, storage, maintenance, retention and destruction of data. It<br />
also covers knowledge of different roles regarding data handling (owner,<br />
controller and custodian) as well as data protection methods and data<br />
states. Other topics include resource provision, asset classification<br />
and data lifecycle management.<br />
===Security and Risk Management===<br />
The security and risk management domain covers general on skills<br />
related to the implementation of user awareness programs as well as<br />
security procedures. Emphasis is also placed on risk management<br />
concerning the acquisition of new services, hardware and software<br />
(supply chain). Other skills include social engineering defense<br />
mechanisms.<br />
===Security Assessment and Testing===<br />
The security assessment and testing domain deals with all the<br />
techniques and tools used to find system vulnerabilities, weaknesses and<br />
potential areas of concern not addressed by security procedures and<br />
policies. Attack simulations, vulnerability assessment, compliance<br />
checks, and ethical disclosure also fall under this domain.<br />
===Software Security===<br />
The software development security domain deals with implementing<br />
software-based security protocols within environment for which the IT<br />
professional is responsible. Risk analysis, vulnerability identification<br />
and auditing of source codes are all covered in this subset. Additional<br />
topics include software-designed security, maturity models, development<br />
methodologies, open-source and third-party development security.<br />
===Security operations===<br />
The security operations domain covers topics ranging from<br />
investigations and digital forensic to detection and intrusion<br />
prevention tools, sandboxing and firewalls. Topics include user and<br />
entity behavior analytics, threat intelligence (threat hunting and<br />
threat feeds) log management, artifacts (mobile, computer and network),<br />
machine learning and AI-based tools, penetration testing, and<br />
exploitation development. These for sub-domains are lister here.</p><br />
<li>Forensics</li><br />
<li>Incident Handling</li><br />
<li>Penetration Testing</li><br />
<li>Exploitation</li><br />
<br />
==Education==<br />
<p>The entry level monitoring specialist is hired by Estonian<br />
Information System Authority even if there is no formal IT education,<br />
but readiness to learn and moderate knowledge of different operation<br />
systems is enough to start the career.</p><br />
<p>https://www.cv.ee/en/vacancy/792782/riigi-infosusteemi-amet/seirespetsialist-tule-eesti-kuberruumi-valvuriks</p><br />
<p>Nevertheless, like most other high qualification careers jobs falling<br />
under the cybersecurity specialist category require some form of formal<br />
education. However, since cybersecurity specialist jobs can fall across<br />
a wide spectrum of job descriptions and responsibilities, it is possible<br />
to obtain a specialist job after completing many levels of different<br />
computer related education.</p><br />
<p>If one is looking for a cybersecurity related education, for example<br />
in EU, 137 courses/programs could be found that relate to keyword IT or<br />
cybersecurity.</p><br />
<p>https://www.enisa.europa.eu/topics/cybersecurity-education/education-map/education-courses</p><br />
<p>Also, there is a great amount of discussion, if cuber security<br />
professional should have a degree or would be certification just enough.<br />
One interesting table is produces by Franklin University that compares<br />
benefits and/or drawbacks of each type of credential.</p><br />
<figure><br />
<img src="images/image11.png" alt="Comparison MSc vs certificate" /><br />
<figcaption aria-hidden="true">Comparison MSc vs<br />
certificate</figcaption><br />
</figure><br />
<p>Certifications are generally good for people with little practical<br />
experience because they are known quantities in the industry and can<br />
help you get your foot in the door. They set a minimum knowledge bar.<br />
But some certifications are viewed more favorably than others.<br />
Certifications with renewal requirements are viewed better by hiring<br />
managers, but they also more costly in the long run because of the need<br />
for continuing education. Certifications are also good for showing<br />
in-depth expertise in a specialization within cybersecurity. Depending<br />
on your career goals, it may be advantageous to have a master’s<br />
degree—which shows your breadth of knowledge, critical thinking and<br />
leadership skills—and a certificate—which shows specific skill<br />
competency.</p><br />
<p>https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</p><br />
<p>As IT (Cyber) Security is still a relatively young discipline,<br />
universities and colleges are still figuring out which is the best<br />
approach for their degrees. Study programmes and curricula in Cyber<br />
Security are different. In general, here are the duration of Cyber<br />
Security degrees:</p><br />
<ul><br />
<li><p>Bachelor’s degrees in Cyber Security take 3 or 4 years in most<br />
countries.</p></li><br />
<li><p>Master’s courses in Cyber Security take between 1-2 years to<br />
complete.</p></li><br />
<li><p>PhD programmes in Cyber Security last 3-5 years. Some only take 1<br />
or 2 years, but they are less common.</p><br />
<p>https://www.mastersportal.com/articles/2722/why-you-should-study-a-cyber-security-degree-in-2022.html</p></li><br />
</ul><br />
<p>Generalization could me made that on bachelor level the general<br />
knowledge about the cyber issues are obtained. On master level the<br />
specialization courses are taken and the person can choose more specific<br />
topics to study. It is on master level where strengths of the cyber<br />
specialist can be developed further and up-do date knowledge obtained in<br />
specifics. PhD is serious science and involves teaching, lot of<br />
scientific work and writing for publications.</p><br />
==Salary==<br />
<p>Even if the salary can be very different, compared to the skills and<br />
experience, an generalization can be made. Cyber Security professionals<br />
in CSIRT, and in other entities earn quite well, from the start. First,<br />
some comparison from the United States. The average CSIRT analyst salary<br />
in the USA is $97,500 per year or $50 per hour. Entry level positions<br />
start at $48,875 per year while most experienced workers make up to<br />
$135,373 per year.</p><br />
<p>https://www.talent.com/salary?job=csirt+analyst</p><br />
<p>There are multiple positions you can occupy in this field. They have<br />
in common great salaries and high demand for technical skills, attention<br />
to details, problem-solving mentality, and the ability to analyze risks.<br />
Here are the average annual salaries in the United States, according to<br />
Payscale:</p><br />
<p>https://www.payscale.com/</p><br />
<ul><br />
<li><p>Cryptographer – 100,000 USD</p></li><br />
<li><p>Information Security Officer – 91,000 USD</p></li><br />
<li><p>Security Assessor – 90,000 USD</p></li><br />
<li><p>Security Engineer – 88,000 USD</p></li><br />
<li><p>Penetration Tester – 81,000 USD</p></li><br />
<li><p>Forensics Expert – 71,000 USD</p></li><br />
<li><p>Security Administrator – 65,000 USD</p><br />
<p>https://www.mastersportal.com/articles/2722/why-you-should-study-a-cyber-security-degree-in-2022.html</p><br />
<p>When looking into salaries in Estonia, one can find that there is a<br />
discussion that private sector is taking a toll from the public sector,<br />
and that the salaries in important agencies, as Information System<br />
Authority loose their employees to the better paid positions in private<br />
sector.</p><br />
<p>https://digi.geenius.ee/rubriik/uudis/kui-palju-riigi-jaoks-olulised-it-tootajad-tegelikult-palka-saavad/<br />
https://tehnika.postimees.ee/6887428/riigi-it-tootajate-palgamaarad-kasvasid</p><br />
<p>But there is also a different view that average private sector worker<br />
could be hired as a top specialist in public sector and then the payment<br />
is higher. Nevertheless, it seems that the average payment in cyber<br />
security sector is any way higher that in other parts of the<br />
e-services.</p><br />
<p>https://digi.geenius.ee/rubriik/uudis/5000-eurostest-palkadest-it-tootajad-saavadki-palju-palka/</p></li><br />
</ul><br />
==SOC==<br />
<p>A SOC is a facility where an organization’s network, applications,<br />
and endpoints are monitored and defended. The term was adapted from<br />
network operations centers (NOCs), where large telecommunication or<br />
corporate networks are monitored. When network security became more of a<br />
concern, security teams were formed within the NOCs, and eventually spun<br />
off into larger organizations of their own as the responsibilities of<br />
security teams grew increasingly complex and specialized. The security<br />
staff working in a security operations center are often called the SOC<br />
team.</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<p>Functions of the SOC team include, but are not limited to:</p><br />
<ol type="1"><br />
<li>Taking inventory of resources, to get a better understanding of the<br />
structure they are protecting.</li><br />
<li>Maintanence of the system, by constantly making updates and adding<br />
safeguards.</li><br />
<li>Monitoring the network for abnormalities with special tools.</li><br />
<li>Threat analysis of new attacks and vulnerabilities.</li><br />
<li>Responding to attacks, by acting as “first responders”. The SOC team<br />
will shut down and/or isolate endpoints, deleting files and lowering the<br />
impact as fast as possible.</li><br />
<li>Recovery of system stability and lost data. This may be done using<br />
backups, restarting endpoints or reconfiguring systems.</li><br />
<li>Logging all actions on the system, to be later used for analysis or<br />
forensics after an attack.</li><br />
<li>Investigating the root cause of an attack.</li><br />
<li>Auditing their own actions, to be in line with regulations of the<br />
organization, industry or governing body.</li><br />
</ol><br />
<p>https://www.trellix.com/en-us/security-awareness/operations/what-is-soc.html</p><br />
==CSIRT==<br />
<p>A CSIRT is a group that responds to security incidents when they<br />
occur. Key responsibilities of a CSIRT include:</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<ul><br />
===Creating and maintaining an incident response plan (IRP)===<br />
An incident response plan (IRP) is a set of written instructions for<br />
detecting, responding to and limiting the effects of an information<br />
security event. Incident response plans provide instructions for<br />
responding to many potential scenarios, including data breaches, denial<br />
of service/distributed denial of service attacks, firewall breaches,<br />
virus or malware outbreaks or insider threats. Without an incident<br />
response plan in place, organizations may either not detect the attack<br />
in the first place, or not follow proper protocol to contain the threat<br />
and recover from it when a breach is detected.<br />
<p>https://www.stratacore.com/incidentresponseplan</p></li><br />
===Investigating and analyzing incidents===<br />
CSIRTs are also involved in improvement activities. After major<br />
computer security incidents occur, or when incidents are not handled in<br />
a timely or effective manner, a CSIRT will generally perform a<br />
postmortem of the incident and its response. This postmortem will<br />
identify the strengths and weakness of the response effort. Such reviews<br />
can identify weaknesses and holes in systems, infrastructure defenses,<br />
or policies that allowed the incident to take place. It can also<br />
identify problems with communication channels, interfaces, and<br />
procedures that inhibited the efficient resolution of the reported<br />
problem.<br />
<p>https://www.cisa.gov/uscert/bsi/articles/best-practices/incident-management/defining-computer-security-incident-response-teams</p><br />
<br />
===Managing internal communications and updates during or immediately after incidents occur===<br />
===Communicating with employees, shareholders, customers, and the press about incidents as needed===<br />
<p>There are various services within the CSIRT Services Framework that<br />
address communications, as they relate to security operations and<br />
incident response services. Some of these include Information Security<br />
Incident Coordination, Crisis Management Support, Vulnerability<br />
Disclosure, Situational Awareness Communication, and Awareness Building,<br />
to name a few. Sharing information and communicating with the general<br />
public and/or your constituency is appropriate in many different<br />
scenarios. These can range from proactive communications to reactive<br />
communications. Each scenario may be unique, and careful consideration<br />
should be given to when to release information to the public and what<br />
information should be released.</p><br />
<br />
<p>https://resources.sei.cmu.edu/asset_files/Handbook/2021_002_001_651819.pdf</p><br />
<br />
===Remediating incidents===<br />
<p>Threat remediation is a strong and capable tool for fighting the<br />
cyber security compromises. As the word ‘remedy’ suggests, remediation<br />
process involves the treatment of a security breach. With the<br />
remediation practices, your cyber security team is able to eliminate<br />
suspicious activities and malicious attacks in the form of malware,<br />
ransomware, phishing and such. Even if you ‘kill’ the suspicious<br />
activity, the attackers can remain in your systems. If you want to<br />
contaminate and end the problem for good, your remediation processes<br />
must involve the detection of the cause.</p><br />
<p>https://www.logsign.com/blog/what-is-remediation-in-cyber-security/</p><br />
=== Recommending technology, policy, governance, and training changes after security<br />
incidents===<br />
<p>After all these actions, the SCIRT must contribute to the development<br />
of better policies, practices and has to recommend improvements. They<br />
are not working in the vacuum and their work has to create new and<br />
better standards for cyber security.</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p></li><br />
</ul><br />
==CERT==<br />
<p>The term “computer emergency response team” was coined in 1988. In<br />
response to the Morris worm attack that impacted thousands of servers on<br />
the Internet, DARPA funded the formation of the Computer Emergency<br />
Response Team Coordination Center (CERT-CC) at Carnegie Mellon<br />
University. The goal of CERT-CC was to help protect the internet by<br />
collecting and disseminating information on critical security<br />
vulnerabilities. Several other countries formed similar centers using<br />
the same acronym (despite threats of legal action by Carnegie Mellon for<br />
trademark infringement). Now the term CERT refers to any emergency<br />
response team that deals with cyber threats. Many people use CERT-CC<br />
interchangeably with CSIRT, though the charter of a CERT is information<br />
sharing in order to help other response teams respond to threats against<br />
their own infrastructure.</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<p>In general, the designation of CERT is helpful in applying real-world<br />
solutions to various cybersecurity problems. They may be government<br />
contractors or employees of a major corporation. For example, the U.S.<br />
Computer Emergency Readiness Team (US-CERT) operates under the U.S.<br />
Department of Homeland Security.</p><br />
<p>https://www.techopedia.com/definition/31003/computer-emergency-response-team-cert</p><br />
<p>In Estonia CERT is designated as CERT-EE. It was established in 2006,<br />
as an organization responsible for the management of security incidents<br />
in .ee computer networks. It is also a national contact point for<br />
international co-operation in the field of IT security.</p><br />
<p>https://www.ria.ee/en/cyber-security/cert-ee.html</p><br />
===Difference between SOC/CSIRT/CERT===<br />
<p>How CSIRTs differ from CERTs and SOCs There are overlapping<br />
responsibilities between a community emergency response team (CERT),<br />
computer security incident response team (CSIRT), and security<br />
operations center (SOC). To add to this confusion, frequently, the terms<br />
CERT and CSIRT are used interchangeably, despite the important<br />
differences.</p><br />
<figure><br />
<img src="images/image3.png" alt="Overlapping in images/image3.png" /><br />
<figcaption aria-hidden="true">Overlapping in<br />
images/image3.png</figcaption><br />
</figure><br />
==Understand the primary roles and characteristics of a CERT, CSIRT, and SOC.==<br />
<p>So, using strict definitions, a CERT collects and disseminates<br />
security information, typically for the benefit of a country or an<br />
industry. A CSIRT is a cross-functional team that responds to incidents<br />
on behalf of a country or an organization. A SOC is where a country or<br />
organization monitors and defends its network, servers, applications,<br />
and endpoints.</p><br />
<figure><br />
<img src="images/image4.png" alt="table of explanation images/image4" /><br />
<figcaption aria-hidden="true">table of explanation<br />
images/image4</figcaption><br />
</figure><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
==Future==<br />
<p>And the Cyber security problem is only getting bigger. According to a<br />
report published by Accenture, the number of cyber security breaches<br />
increased by 11 percent from 2017 to 2018. The cost of such breaches is<br />
astronomical–about $600 billion worldwide, according to the Economic<br />
Impact of Cybercrime report.</p><br />
<p>https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me</p><br />
<p>Job projections for cybersecurity are staggering. The Bureau of Labor<br />
Statistics in US predicts that careers in the cybersecurity field will<br />
grow by 32% by 2028. That makes cybersecurity one of the top 10<br />
fastest-growing jobs in the country. In the United States alone, jobs<br />
for Information Security Analysts are expected to grow by 15% by<br />
2024.</p><br />
<p>https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</p><br />
<p>Most likely this trend is also similar in other countries.</p><br />
<p>When checking Estonian job portals, there is a constant need for<br />
people for cyber security related positions. Also, linkedin search gives<br />
approximately 30 vacancies immediately. There are banks, logistics<br />
companies, e-shops, and software producers.</p><br />
<p>https://ee.linkedin.com/jobs/cyber-security-jobs?countryRedirected=1&amp;position=1&amp;pageNum=0</p><br />
<p>Trends that affect companies create need for constant cyber security<br />
services. Increasing number of home/remote offices require secure<br />
corporate networks and security of remote devices. One example is from<br />
this year, when sloppy remote desktop set-up paralyzed systems of 17<br />
companies.</p><br />
<p>https://www.aripaev.ee/uudised/2022/04/20/ria-lohakas-kaugtoolaua-seadistus-halvas-martsis-vahemalt-17-juhul-ettevotete-it-susteemid</p><br />
<p>Also, no service can exists without robust infrastructure - servers,<br />
databases, applications. As all previously mentioned devices and<br />
services are at constant scanning and surveillance. So, the breach<br />
detection and immediate action demands 24/7 services. Even if lot of<br />
things could be automated, there is a need for human specialists (at<br />
least, at the moment). Third growing field is also a forensic<br />
investigation, as every attack must be investigated in order to be ready<br />
to repel next attacks. So data recovery and evidence collection is<br />
another important field of work that need skilled and professional<br />
workers.</p><br />
<p>Even, if the specifics of the entity, be it CSIRT, CERT or SOC, are<br />
different, the fundamentals of the work are the same. Professional<br />
knowledge of the networks, operational systems, hardware, scripting, and<br />
several other wider IT related knowledge is needed. As there is no<br />
single way to reach to it, every single person can find one’s strongest<br />
sides and develop them with knowledge of weaker side, in order to know,<br />
when to as for help.</p><br />
<br />
</body><br />
</html></div>Mavaldhttps://wiki.itcollege.ee/index.php?title=File:Image11.png&diff=142172File:Image11.png2022-05-01T14:27:22Z<p>Mavald: </p>
<hr />
<div></div>Mavaldhttps://wiki.itcollege.ee/index.php?title=File:Analystimage3.png&diff=142171File:Analystimage3.png2022-05-01T14:27:02Z<p>Mavald: </p>
<hr />
<div></div>Mavaldhttps://wiki.itcollege.ee/index.php?title=File:Analystimage4.png&diff=142170File:Analystimage4.png2022-05-01T14:26:45Z<p>Mavald: </p>
<hr />
<div></div>Mavaldhttps://wiki.itcollege.ee/index.php?title=Hiring_a_Cyber_Security_Incident_Analyst&diff=142169Hiring a Cyber Security Incident Analyst2022-05-01T14:20:49Z<p>Mavald: /* Certificates */</p>
<hr />
<div>==A Cyber Security Incident Analyst==<br />
<br />
[[File:image1.png|600px|thumb|Job advertisement <ref>"Job Advertisement". Available at https://www.projectpeople.com/jobs/</ref>]]<br />
===Cyber security incident analyst in SOC/CSIRT/CERT===<br />
This article delves into the job title of Cyber Security Incident<br />
Analyst and provides an overview of the acronyms SOC/CSIRT/CERT. A brief<br />
history of the job is discussed here, as well as a possible career path,<br />
education, experience, and other characteristics required for work in<br />
computer security-related organizations. The article also provides a<br />
brief history of SOC/CSIRT/CERT, as well as a comparison of their<br />
differences and similarities.<br />
===Cyber Security Incident Analyst Skill Set===<br />
What skill set is expected from the Cyber Security Incident Analyst? Below written lines are taken from the same job advertisement depicted<br />
on the left side of this article:<br />
As a Security Incident Analyst your responsibilities will include:<br />
<ul><br />
<li>Continuous monitoring of security tooling</li><br />
<li>Performing regular and ad-hoc vulnerability assessments</li><br />
<li>Carrying out ‘spot checks’</li><br />
<li>Reporting vulnerabilities to the PVG via the alerts system</li><br />
<li>Maintaining and documenting logging systems</li><br />
<li>Developing centralized logging, reporting and intelligence<br />
platforms</li><br />
<li>‘Light touch’ penetration testing with open source tooling<br />
(Metasploit)</li><br />
</ul><br />
Knowledge &amp; Experience required:<br />
<ul><br />
<li>SOC, CSIRT or CERT operational environment experience</li><br />
<li>Windows / Linux experience</li><br />
<li>TCP /IP networking protocol knowledge</li><br />
<li>Experience reviewing and analyzing Security Events from various<br />
monitoring and logging sources</li><br />
<li>Experience in website and web application security assessment or<br />
penetration testing</li><br />
<li>Experience of using Metasploit</li><br />
<li>Scripting knowledge using BASH, Python, Perl, Ruby</li><br />
<li>Skills in Host and Network Forensics</li><br />
</ul><br />
As one can see the description of the duties is wide and also the<br />
knowledge and experience that is required is noteworthy. So, where to<br />
start to find out the way to get this kind of knowledge and<br />
expertize.<br />
===Possible career path===<br />
Next part of the paper is aiming to depict a possible ways, how to<br />
develop oneself, and move along the career pathway in cybersecurity<br />
field. Topics of development, education, experience and certification<br />
are covered.<br />
[[File:analystimage2.png|700px|thumb|Career path <ref>"Possible Career Path". Available at https://www.cyberseek.org/pathway.html</ref>]]<br />
<br />
===Junior/Senior===<br />
Start with an entry-level job in IT. Hands-on experience is often the<br />
most effective way to prepare for certification exams. Start<br />
accumulating work experience with an entry-level role as a cybersecurity<br />
analyst. Many cybersecurity professionals start off in more general IT<br />
roles. The skills, practices, and technologies you’ll use as a<br />
cybersecurity professional will continue to evolve along with computer<br />
and network technology. The desire to learn, ability to problem solve,<br />
and attention to detail will serve you well in this field. Other, more<br />
technical skills and technologies to learn include:<ref name="certification">Popular Cyber Security Certificates [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications [Accessed 25 April 2022].</ref><br />
<br />
====SIEM tools (security information and event management)====<br />
Security Information and Event Management (SIEM) is a set of tools<br />
and services offering a holistic view of an organization’s information<br />
security. SIEM works by combining two technologies:<br />
<li>Security information management (SIM), which collects data from log<br />
files for analysis and reports on security threats and events, and</li><br />
<li>security event management (SEM), which conducts real-time system<br />
monitoring, notifies network admins about important issues and<br />
establishes correlations between security events. There are a number of<br />
security information and event management solutions on the market.<br />
ArcSight ESM, IBM QRadar and Splunk are among the most popular. <ref name="SIEM">Application security, SIEM [Online]. Available: https://www.imperva.com/learn/application-security/siem/. [Accessed 27 4 2022].</ref></li><br />
<br />
====Firewalls, Intrusion Detection Systems (IDS), and Intrusion Prevention Systems(IPS)====<br />
Firewalls can be two types, hardware and software firewalls. Software<br />
firewall is a firewall that is installed on a computer or server, and<br />
tasked with network security. It works with a wide variety of other<br />
technology security solutions to provide more robust and cohesive<br />
security for enterprises of all sizes. When a software firewall is<br />
installed on a server, it opens up like an umbrella of protection over<br />
all other computers connected to the network. It is able to monitor both<br />
incoming and outgoing traffic for potential risk or suspicious user<br />
behavior, and also makes setting security policies much easier, faster<br />
and more flexible. Hardware firewall is positioned between the network<br />
and devices, allowing traffic to funnel through the firewall for a close<br />
inspection and analysis. A hardware firewall, a term often<br />
interchangeable with network or next-generation firewall, protects the<br />
network gateways for an enterprise. Hardware firewall is physical<br />
hardware, installed between network elements and connected devices, and<br />
is tasked with filtering traffic for cyber threat to the network or<br />
devices. Filtering out unauthorized or suspicious users based on traffic<br />
analysis is one of the biggest benefits of hardware firewall. <ref name="sangfor">Sangfor, "What is Software Firewall? Difference between Hardware Firewall and Software Firewall, [Online]. Available: https://www.sangfor.com/blog/cybersecurity/what-is-software-firewall-difference-between-hardware-firewall-and-software-firewall [Accessed 26 4 2022].</ref><br />
<br />
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems<br />
(IPS) are both parts of the network infrastructure. IDS/IPS compare<br />
network packets to a cyberthreat database containing known signatures of<br />
cyberattacks — and flag any matching packets. IDS doesn’t alter the<br />
network packets in any way, whereas IPS prevents the packet from<br />
delivery based on the contents of the packet, much like how a firewall<br />
prevents traffic by IP address. <ref name="Varonis">Varonis, "What is Software Firewall? IDS vs. IPS: What is the Difference?, [Online]. Available: https://www.varonis.com/blog/ids-vs-ips [Accessed 26 4 2022].</ref><br />
<br />
====Digital forensics====<br />
<p>Digital forensics is a branch of forensic science that focuses on<br />
identifying, acquiring, processing, analyzing, and reporting on data<br />
stored electronically. Electronic evidence is a component of almost all<br />
criminal activities and digital forensics support is crucial for law<br />
enforcement investigations. Electronic evidence can be collected from a<br />
wide array of sources, such as computers, smartphones, remote storage,<br />
unmanned aerial systems, shipborne equipment, and more.</p><br />
<p>https://www.interpol.int/How-we-work/Innovation/Digital-forensics</p><br />
<p>Investigative process of digital forensics can be divided into<br />
several stages. There are four major stages: preservation, collection,<br />
examination, and analysis.</p><br />
<p>https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.258.7882&amp;rep=rep1&amp;type=pdf</p><br />
<p>All these four stages need a deep understanding of computers,<br />
technology across a broad spectrum, and cybersecurity principles and<br />
practices, a working knowledge of computers, networks, and coding,<br />
in-depth investigative abilities, critical-thinking skills and<br />
analytical talent the ability to effectively communicate and work with a<br />
wide range of people.</p><br />
<p>https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me</p></li><br />
<br />
<br />
<br />
====Mobile device management====<br />
Mobile device management (MDM) is software that allows IT<br />
administrators to control, secure and enforce policies on smartphones,<br />
tablets and other endpoints. Mobile device management software emerged<br />
in the early 2000s as a way to control and secure the personal digital<br />
assistants and smartphones that business workers began to use. The<br />
consumer smartphone boom that started with the launch of the Apple<br />
iPhone in 2007 led to the bring your own device (BYOD) trend, which<br />
fueled further interest in MDM.<br />
<p>https://www.techtarget.com/searchmobilecomputing/definition/mobile-device-management</p></li><br />
<br />
====Data management====<br />
Sometimes the data management is neglected, but this part has a<br />
crucial role when learning for good cyber security practices. Majority<br />
of cyber security programs include a special courses on data management.<br />
Data management is a method of organizing and maintaining data processes<br />
that are required in almost every business operations. The benefits of<br />
data management can be found accounting, statistics, logistics planning<br />
and other disciplines including corporate computing.<br />
<p>https://globaluniversities.in/msc-data-management-cyber-security/</p><br />
Data governance (and management) play a fundamental role in<br />
protecting an organization’s data. Ensuring that the right people have<br />
the right access and that appropriate security controls are in place to<br />
protect each system or service, based on the criticality or sensitivity<br />
of the data sets these contain.</p><br />
<p>https://cybersecurity-magazine.com/the-role-of-data-governance-in-cybersecurity/?utm_source=rss&amp;utm_medium=rss&amp;utm_campaign=the-role-of-data-governance-in-cybersecurity</p></li><br />
<br />
<br />
====Application security development====<br />
Application security describes security measures at the application<br />
level that aim to prevent data or code within the app from being stolen<br />
or hijacked. It encompasses the security considerations that happen<br />
during application development and design, but it also involves systems<br />
and approaches to protect apps after they get deployed. Application<br />
security may include hardware, software, and procedures that identify or<br />
minimize security vulnerabilities.<br />
https://www.vmware.com/topics/glossary/content/application-security.html<br />
Application security development is important to ensure that your<br />
application is free from coding errors and bugs. And controls the risk<br />
and helps safeguard against security vulnerabilities. Application<br />
security development is the process of making applications more secure<br />
by finding and fixing security vulnerabilities. This is often done by<br />
enforcing software security best practices and using application<br />
security testing tools.<br />
<p>https://www.perforce.com/blog/kw/application-security-development-best-practices</p><br />
<br />
====Audit and compliance knowledge====<br />
A cyber security audit is designed to be a comprehensive review and<br />
analysis of your business’s IT infrastructure. It identifies threats and<br />
vulnerabilities, exposing weaknesses and high-risk practices.<br />
Regulations such as the EU GDPR (General Data Protection Regulation) can<br />
impose hefty penalties in the event of a breach that results in<br />
exploited data. A cyber security audit will help mitigate the<br />
consequences of a breach and demonstrate that your organization has<br />
taken the necessary steps to protect client and company data.</p><br />
<p>https://cyforsecure.co.uk/services/cyber-assessment/cyber-security-audit/</p><br />
<p>Cybersecurity compliance is the organizational risk management method<br />
aligned with pre-defined security measures &amp; controls on how data<br />
confidentiality is ensured by its administrational procedures.</p><br />
<p>https://nordlayer.com/blog/cybersecurity-compliance-everything-you-need-to-know/</p><br />
<p>All needed skills are developed through courses and<br />
certification.</p></li><br />
</ul><br />
===Entry-Level Incident Response Positions===<br />
<p>It is not always possible to advance to the position of incident<br />
responder in a straight line. Many professionals advance from entry- to<br />
mid-level positions before becoming a real incident responder or a<br />
member of a computer emergency response team (CERT).<br /><br />
These are some examples:</p><br />
<ul><br />
<li><h5 id="network-administrator">Network administrator</h5><br />
<p>This position’s experience will help potential incident responders<br />
develop networking skills. Attention to detail, as well as the ability<br />
to sift through system configurations, site layouts, and general network<br />
and communication setups, are essential in this field.</p></li><br />
<li><h5 id="system-administrator">System administrator</h5><br />
<p>Another crucial beginning point for an incident responder is to learn<br />
how to manage resources inside your organization as well as user<br />
behavior. Understanding the potential damage that users, inadequate<br />
security setups, and ineffective IT policies and procedures can cause on<br />
your network can provide prospective candidates with insight into the<br />
human component of an incident.</p></li><br />
<li><h5 id="security-administrator">Security administrator</h5><br />
<p>In such a position, basic hacking skills, penetration testing, and<br />
intrusion detection are all learned, which are crucial incident<br />
responder skills when trying to replicate a breach or attack.<br />
Understanding the paths a cybercriminal will take when attempting to<br />
damage or obtain access to a system can greatly simplify the work of<br />
reverse engineering the incident.</p></li><br />
</ul><br />
<p>https://resources.infosecinstitute.com/topic/incident-responder-career-roadmap-entry-level-executive/</p><br />
<h3 id="mid-level-incident-response-positions">Mid-Level Incident<br />
Response Positions</h3><br />
<ul><br />
<li><h5<br />
id="computer-security-incident-response-team-csirt-engineer">Computer<br />
security incident response team (CSIRT) engineer</h5></li><br />
<li><h5 id="cyber-incident-responder">Cyber incident responder</h5></li><br />
<li><h5 id="incident-response-engineer">Incident response<br />
engineer</h5></li><br />
</ul><br />
<p>While each of these positions is different, they generally require<br />
very similar skills and characteristics in a candidate. At this level,<br />
personal characteristics such as problem solving, time management, and<br />
even presentation skills become more crucial as one’s career evolves<br />
into a management-facing role.</p><br />
<p>Technical skills include the ability to identify and minimize threats<br />
while maintaining communication with management and the rest of your<br />
team. Data analysis and evidence gathering become increasingly crucial,<br />
and the circumstances in which your services are deployed get more<br />
serious.</p><br />
<p>Problem-solving skills are crucial at this level of incident<br />
response, and as the stakes rise, so does the pressure in each<br />
situation. At this level, programming abilities are essential since<br />
incident responders may be needed to reverse engineer malicious code or<br />
even create patches for vulnerable network applications or services.</p><br />
<p>https://www.coursera.org/articles/popular-cybersecurity-certifications</p><br />
<h3 id="senior-level-incident-response-positions">Senior-Level Incident<br />
Response Positions</h3><br />
<ul><br />
<li><h5 id="intrusion-detection-specialist">Intrusion detection<br />
specialist:</h5></li><br />
</ul><br />
<p>A CISSP certification might help a potential candidate in preparing<br />
for the profession. The role of an intrusion detection specialist is to<br />
find and stop any unwanted communications.</p><br />
<ul><br />
<li><h5 id="incident-manager">Incident manager:</h5></li><br />
</ul><br />
<p>Expected to plan, oversee, manage, and supervise all incident<br />
response team actions. Is in charge of reporting all current events to<br />
senior management and stakeholders, as well as acting as the technical<br />
lead on active incidents for incident responders. Prepares threat and<br />
impact assessments and reports them known to management.</p><br />
<p>https://www.coursera.org/articles/popular-cybersecurity-certifications</p><br />
<br />
==Certificates== <br />
There is a vast number of different certificates and the road map to<br />
being a certified professional could be very different<ref name="Coursera">Coursera, "10 Popular Cybersecurity Certifications [2022 Updated]," [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications. [Accessed 30 Apr 2022].</ref><br />
<ref name="NICCS">NICCS, "Cybersecurity Certifications," [Online]. Available: hhttps://niccs.cisa.gov/about-niccs/cybersecurity-certifications. [Accessed 30 Apr 2022].</ref> . One possible<br />
approach is to start with basic certificates from the different branches<br />
of service and move to more specific and demanding focused<br />
certification. Also, some jobs require certain clearances, either from<br />
industry, or from the government. One small selection of different<br />
possible certificates is brought out in following paragraphs.<br />
<br />
Security+ is a CompTIA certification that is considered a basic cert<br />
among cybersecurity professionals. It covers the topics of risk<br />
management and threat assessment.<br />
Network+ is also offered by CompTIA this certification (like the name<br />
implies) focuses on networking infrastructure and operations. It is<br />
considered a foundational certification.<br />
The Certified Information Systems Security Professional (CISSP) is a<br />
more advanced certification designed for cybersecurity professionals<br />
with at least five years of work experience. The certification covers<br />
topics such as architecture, engineering, and management.</p><br />
The Certified Ethical Hacker (CEH) certification is also considered a<br />
more advanced cert because it generally requires that applicants have<br />
multiple years of work experience. The goal of an ethical hacker<br />
certification is to be able to understand how cyber attacks unfold in<br />
order to improve threat assessment and mitigation skills.<ref name="cyberguide">Cybersecurity Guide, "How to become a cybersecurity specialist", [Online]. Available: https://cybersecurityguide.org/careers/security-specialist/. [Accessed 27 April 2022].</ref><br />
This is definitely not all, when one looks for more information, following link could be searched, to get more in depth knowledge about<br />
different possibilities. Hereby, with the help of this matrix a possible taxonomy of different 436 listed certificates in branches are<br />
presented.<ref name="Pauljeremy">"Cybersecurity Roadmap," [Online]. Available: https://pauljerimy.com/2020/10/12/scr-oct-2020-update/. [Accessed 30 Apr 2022].</ref><br />
<br />
[[File:analystimage5.png|1000px|thumb|Certificate matrix <ref>"Certification roadmap". Available at https://pauljerimy.com/security-certification-roadmap</ref>]]<br />
<br />
=== Communication and Network Security===<br />
Communication and network security covers the ability to secure<br />
communication channels and networks. Topics include secure and converges<br />
protocols, wireless networks, cellular networks, hardware operations<br />
(warranty and redundant power), and third-party connectivity. IP<br />
networking are also included in this domain.<br />
===Identity and Access Management===<br />
The identity and access management domain covers the attacks that<br />
target the human gateway to gain access to data. Other topics include<br />
ways to identify users with rights to access the information and<br />
servers. Identity and access management covers the topics of<br />
applications, Single sign-on authentication, privilege escalation,<br />
Kerberos, rule-based or risk-based access control, proofing and<br />
establishment of identity.<br />
===Security Architecture and Engineering===<br />
The security architecture and engineering domain covers important<br />
topics concerning security engineering plans, designs and principles,<br />
Topics include assessing and mitigating information system<br />
vulnerabilities, fundamental concepts of security models and security<br />
architectures in critical areas like access control. Cloud systems,<br />
cryptography, system infiltrations (ransomware, fault-injection and<br />
more) and virtualized systems are also covered in this domain.<br />
===Asset Security===<br />
The Asset Security domain deals with the issues related to the<br />
collection, storage, maintenance, retention and destruction of data. It<br />
also covers knowledge of different roles regarding data handling (owner,<br />
controller and custodian) as well as data protection methods and data<br />
states. Other topics include resource provision, asset classification<br />
and data lifecycle management.<br />
===Security and Risk Management===<br />
The security and risk management domain covers general on skills<br />
related to the implementation of user awareness programs as well as<br />
security procedures. Emphasis is also placed on risk management<br />
concerning the acquisition of new services, hardware and software<br />
(supply chain). Other skills include social engineering defense<br />
mechanisms.<br />
===Security Assessment and Testing===<br />
The security assessment and testing domain deals with all the<br />
techniques and tools used to find system vulnerabilities, weaknesses and<br />
potential areas of concern not addressed by security procedures and<br />
policies. Attack simulations, vulnerability assessment, compliance<br />
checks, and ethical disclosure also fall under this domain.<br />
===Software Security===<br />
The software development security domain deals with implementing<br />
software-based security protocols within environment for which the IT<br />
professional is responsible. Risk analysis, vulnerability identification<br />
and auditing of source codes are all covered in this subset. Additional<br />
topics include software-designed security, maturity models, development<br />
methodologies, open-source and third-party development security.<br />
===Security operations===<br />
The security operations domain covers topics ranging from<br />
investigations and digital forensic to detection and intrusion<br />
prevention tools, sandboxing and firewalls. Topics include user and<br />
entity behavior analytics, threat intelligence (threat hunting and<br />
threat feeds) log management, artifacts (mobile, computer and network),<br />
machine learning and AI-based tools, penetration testing, and<br />
exploitation development. These for sub-domains are lister here.</p><br />
<li>Forensics</li><br />
<li>Incident Handling</li><br />
<li>Penetration Testing</li><br />
<li>Exploitation</li><br />
<br />
==Education==<br />
<p>The entry level monitoring specialist is hired by Estonian<br />
Information System Authority even if there is no formal IT education,<br />
but readiness to learn and moderate knowledge of different operation<br />
systems is enough to start the career.</p><br />
<p>https://www.cv.ee/en/vacancy/792782/riigi-infosusteemi-amet/seirespetsialist-tule-eesti-kuberruumi-valvuriks</p><br />
<p>Nevertheless, like most other high qualification careers jobs falling<br />
under the cybersecurity specialist category require some form of formal<br />
education. However, since cybersecurity specialist jobs can fall across<br />
a wide spectrum of job descriptions and responsibilities, it is possible<br />
to obtain a specialist job after completing many levels of different<br />
computer related education.</p><br />
<p>If one is looking for a cybersecurity related education, for example<br />
in EU, 137 courses/programs could be found that relate to keyword IT or<br />
cybersecurity.</p><br />
<p>https://www.enisa.europa.eu/topics/cybersecurity-education/education-map/education-courses</p><br />
<p>Also, there is a great amount of discussion, if cuber security<br />
professional should have a degree or would be certification just enough.<br />
One interesting table is produces by Franklin University that compares<br />
benefits and/or drawbacks of each type of credential.</p><br />
<figure><br />
<img src="images/image11.png" alt="Comparison MSc vs certificate" /><br />
<figcaption aria-hidden="true">Comparison MSc vs<br />
certificate</figcaption><br />
</figure><br />
<p>Certifications are generally good for people with little practical<br />
experience because they are known quantities in the industry and can<br />
help you get your foot in the door. They set a minimum knowledge bar.<br />
But some certifications are viewed more favorably than others.<br />
Certifications with renewal requirements are viewed better by hiring<br />
managers, but they also more costly in the long run because of the need<br />
for continuing education. Certifications are also good for showing<br />
in-depth expertise in a specialization within cybersecurity. Depending<br />
on your career goals, it may be advantageous to have a master’s<br />
degree—which shows your breadth of knowledge, critical thinking and<br />
leadership skills—and a certificate—which shows specific skill<br />
competency.</p><br />
<p>https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</p><br />
<p>As IT (Cyber) Security is still a relatively young discipline,<br />
universities and colleges are still figuring out which is the best<br />
approach for their degrees. Study programmes and curricula in Cyber<br />
Security are different. In general, here are the duration of Cyber<br />
Security degrees:</p><br />
<ul><br />
<li><p>Bachelor’s degrees in Cyber Security take 3 or 4 years in most<br />
countries.</p></li><br />
<li><p>Master’s courses in Cyber Security take between 1-2 years to<br />
complete.</p></li><br />
<li><p>PhD programmes in Cyber Security last 3-5 years. Some only take 1<br />
or 2 years, but they are less common.</p><br />
<p>https://www.mastersportal.com/articles/2722/why-you-should-study-a-cyber-security-degree-in-2022.html</p></li><br />
</ul><br />
<p>Generalization could me made that on bachelor level the general<br />
knowledge about the cyber issues are obtained. On master level the<br />
specialization courses are taken and the person can choose more specific<br />
topics to study. It is on master level where strengths of the cyber<br />
specialist can be developed further and up-do date knowledge obtained in<br />
specifics. PhD is serious science and involves teaching, lot of<br />
scientific work and writing for publications.</p><br />
==Salary==<br />
<p>Even if the salary can be very different, compared to the skills and<br />
experience, an generalization can be made. Cyber Security professionals<br />
in CSIRT, and in other entities earn quite well, from the start. First,<br />
some comparison from the United States. The average CSIRT analyst salary<br />
in the USA is $97,500 per year or $50 per hour. Entry level positions<br />
start at $48,875 per year while most experienced workers make up to<br />
$135,373 per year.</p><br />
<p>https://www.talent.com/salary?job=csirt+analyst</p><br />
<p>There are multiple positions you can occupy in this field. They have<br />
in common great salaries and high demand for technical skills, attention<br />
to details, problem-solving mentality, and the ability to analyze risks.<br />
Here are the average annual salaries in the United States, according to<br />
Payscale:</p><br />
<p>https://www.payscale.com/</p><br />
<ul><br />
<li><p>Cryptographer – 100,000 USD</p></li><br />
<li><p>Information Security Officer – 91,000 USD</p></li><br />
<li><p>Security Assessor – 90,000 USD</p></li><br />
<li><p>Security Engineer – 88,000 USD</p></li><br />
<li><p>Penetration Tester – 81,000 USD</p></li><br />
<li><p>Forensics Expert – 71,000 USD</p></li><br />
<li><p>Security Administrator – 65,000 USD</p><br />
<p>https://www.mastersportal.com/articles/2722/why-you-should-study-a-cyber-security-degree-in-2022.html</p><br />
<p>When looking into salaries in Estonia, one can find that there is a<br />
discussion that private sector is taking a toll from the public sector,<br />
and that the salaries in important agencies, as Information System<br />
Authority loose their employees to the better paid positions in private<br />
sector.</p><br />
<p>https://digi.geenius.ee/rubriik/uudis/kui-palju-riigi-jaoks-olulised-it-tootajad-tegelikult-palka-saavad/<br />
https://tehnika.postimees.ee/6887428/riigi-it-tootajate-palgamaarad-kasvasid</p><br />
<p>But there is also a different view that average private sector worker<br />
could be hired as a top specialist in public sector and then the payment<br />
is higher. Nevertheless, it seems that the average payment in cyber<br />
security sector is any way higher that in other parts of the<br />
e-services.</p><br />
<p>https://digi.geenius.ee/rubriik/uudis/5000-eurostest-palkadest-it-tootajad-saavadki-palju-palka/</p></li><br />
</ul><br />
==SOC==<br />
<p>A SOC is a facility where an organization’s network, applications,<br />
and endpoints are monitored and defended. The term was adapted from<br />
network operations centers (NOCs), where large telecommunication or<br />
corporate networks are monitored. When network security became more of a<br />
concern, security teams were formed within the NOCs, and eventually spun<br />
off into larger organizations of their own as the responsibilities of<br />
security teams grew increasingly complex and specialized. The security<br />
staff working in a security operations center are often called the SOC<br />
team.</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<p>Functions of the SOC team include, but are not limited to:</p><br />
<ol type="1"><br />
<li>Taking inventory of resources, to get a better understanding of the<br />
structure they are protecting.</li><br />
<li>Maintanence of the system, by constantly making updates and adding<br />
safeguards.</li><br />
<li>Monitoring the network for abnormalities with special tools.</li><br />
<li>Threat analysis of new attacks and vulnerabilities.</li><br />
<li>Responding to attacks, by acting as “first responders”. The SOC team<br />
will shut down and/or isolate endpoints, deleting files and lowering the<br />
impact as fast as possible.</li><br />
<li>Recovery of system stability and lost data. This may be done using<br />
backups, restarting endpoints or reconfiguring systems.</li><br />
<li>Logging all actions on the system, to be later used for analysis or<br />
forensics after an attack.</li><br />
<li>Investigating the root cause of an attack.</li><br />
<li>Auditing their own actions, to be in line with regulations of the<br />
organization, industry or governing body.</li><br />
</ol><br />
<p>https://www.trellix.com/en-us/security-awareness/operations/what-is-soc.html</p><br />
==CSIRT==<br />
<p>A CSIRT is a group that responds to security incidents when they<br />
occur. Key responsibilities of a CSIRT include:</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<ul><br />
===Creating and maintaining an incident response plan (IRP)===<br />
An incident response plan (IRP) is a set of written instructions for<br />
detecting, responding to and limiting the effects of an information<br />
security event. Incident response plans provide instructions for<br />
responding to many potential scenarios, including data breaches, denial<br />
of service/distributed denial of service attacks, firewall breaches,<br />
virus or malware outbreaks or insider threats. Without an incident<br />
response plan in place, organizations may either not detect the attack<br />
in the first place, or not follow proper protocol to contain the threat<br />
and recover from it when a breach is detected.<br />
<p>https://www.stratacore.com/incidentresponseplan</p></li><br />
===Investigating and analyzing incidents===<br />
CSIRTs are also involved in improvement activities. After major<br />
computer security incidents occur, or when incidents are not handled in<br />
a timely or effective manner, a CSIRT will generally perform a<br />
postmortem of the incident and its response. This postmortem will<br />
identify the strengths and weakness of the response effort. Such reviews<br />
can identify weaknesses and holes in systems, infrastructure defenses,<br />
or policies that allowed the incident to take place. It can also<br />
identify problems with communication channels, interfaces, and<br />
procedures that inhibited the efficient resolution of the reported<br />
problem.<br />
<p>https://www.cisa.gov/uscert/bsi/articles/best-practices/incident-management/defining-computer-security-incident-response-teams</p><br />
<br />
===Managing internal communications and updates during or immediately after incidents occur===<br />
===Communicating with employees, shareholders, customers, and the press about incidents as needed===<br />
<p>There are various services within the CSIRT Services Framework that<br />
address communications, as they relate to security operations and<br />
incident response services. Some of these include Information Security<br />
Incident Coordination, Crisis Management Support, Vulnerability<br />
Disclosure, Situational Awareness Communication, and Awareness Building,<br />
to name a few. Sharing information and communicating with the general<br />
public and/or your constituency is appropriate in many different<br />
scenarios. These can range from proactive communications to reactive<br />
communications. Each scenario may be unique, and careful consideration<br />
should be given to when to release information to the public and what<br />
information should be released.</p><br />
<br />
<p>https://resources.sei.cmu.edu/asset_files/Handbook/2021_002_001_651819.pdf</p><br />
<br />
===Remediating incidents===<br />
<p>Threat remediation is a strong and capable tool for fighting the<br />
cyber security compromises. As the word ‘remedy’ suggests, remediation<br />
process involves the treatment of a security breach. With the<br />
remediation practices, your cyber security team is able to eliminate<br />
suspicious activities and malicious attacks in the form of malware,<br />
ransomware, phishing and such. Even if you ‘kill’ the suspicious<br />
activity, the attackers can remain in your systems. If you want to<br />
contaminate and end the problem for good, your remediation processes<br />
must involve the detection of the cause.</p><br />
<p>https://www.logsign.com/blog/what-is-remediation-in-cyber-security/</p><br />
=== Recommending technology, policy, governance, and training changes after security<br />
incidents===<br />
<p>After all these actions, the SCIRT must contribute to the development<br />
of better policies, practices and has to recommend improvements. They<br />
are not working in the vacuum and their work has to create new and<br />
better standards for cyber security.</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p></li><br />
</ul><br />
==CERT==<br />
<p>The term “computer emergency response team” was coined in 1988. In<br />
response to the Morris worm attack that impacted thousands of servers on<br />
the Internet, DARPA funded the formation of the Computer Emergency<br />
Response Team Coordination Center (CERT-CC) at Carnegie Mellon<br />
University. The goal of CERT-CC was to help protect the internet by<br />
collecting and disseminating information on critical security<br />
vulnerabilities. Several other countries formed similar centers using<br />
the same acronym (despite threats of legal action by Carnegie Mellon for<br />
trademark infringement). Now the term CERT refers to any emergency<br />
response team that deals with cyber threats. Many people use CERT-CC<br />
interchangeably with CSIRT, though the charter of a CERT is information<br />
sharing in order to help other response teams respond to threats against<br />
their own infrastructure.</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<p>In general, the designation of CERT is helpful in applying real-world<br />
solutions to various cybersecurity problems. They may be government<br />
contractors or employees of a major corporation. For example, the U.S.<br />
Computer Emergency Readiness Team (US-CERT) operates under the U.S.<br />
Department of Homeland Security.</p><br />
<p>https://www.techopedia.com/definition/31003/computer-emergency-response-team-cert</p><br />
<p>In Estonia CERT is designated as CERT-EE. It was established in 2006,<br />
as an organization responsible for the management of security incidents<br />
in .ee computer networks. It is also a national contact point for<br />
international co-operation in the field of IT security.</p><br />
<p>https://www.ria.ee/en/cyber-security/cert-ee.html</p><br />
===Difference between SOC/CSIRT/CERT===<br />
<p>How CSIRTs differ from CERTs and SOCs There are overlapping<br />
responsibilities between a community emergency response team (CERT),<br />
computer security incident response team (CSIRT), and security<br />
operations center (SOC). To add to this confusion, frequently, the terms<br />
CERT and CSIRT are used interchangeably, despite the important<br />
differences.</p><br />
<figure><br />
<img src="images/image3.png" alt="Overlapping in images/image3.png" /><br />
<figcaption aria-hidden="true">Overlapping in<br />
images/image3.png</figcaption><br />
</figure><br />
==Understand the primary roles and characteristics of a CERT, CSIRT, and SOC.==<br />
<p>So, using strict definitions, a CERT collects and disseminates<br />
security information, typically for the benefit of a country or an<br />
industry. A CSIRT is a cross-functional team that responds to incidents<br />
on behalf of a country or an organization. A SOC is where a country or<br />
organization monitors and defends its network, servers, applications,<br />
and endpoints.</p><br />
<figure><br />
<img src="images/image4.png" alt="table of explanation images/image4" /><br />
<figcaption aria-hidden="true">table of explanation<br />
images/image4</figcaption><br />
</figure><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
==Future==<br />
<p>And the Cyber security problem is only getting bigger. According to a<br />
report published by Accenture, the number of cyber security breaches<br />
increased by 11 percent from 2017 to 2018. The cost of such breaches is<br />
astronomical–about $600 billion worldwide, according to the Economic<br />
Impact of Cybercrime report.</p><br />
<p>https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me</p><br />
<p>Job projections for cybersecurity are staggering. The Bureau of Labor<br />
Statistics in US predicts that careers in the cybersecurity field will<br />
grow by 32% by 2028. That makes cybersecurity one of the top 10<br />
fastest-growing jobs in the country. In the United States alone, jobs<br />
for Information Security Analysts are expected to grow by 15% by<br />
2024.</p><br />
<p>https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</p><br />
<p>Most likely this trend is also similar in other countries.</p><br />
<p>When checking Estonian job portals, there is a constant need for<br />
people for cyber security related positions. Also, linkedin search gives<br />
approximately 30 vacancies immediately. There are banks, logistics<br />
companies, e-shops, and software producers.</p><br />
<p>https://ee.linkedin.com/jobs/cyber-security-jobs?countryRedirected=1&amp;position=1&amp;pageNum=0</p><br />
<p>Trends that affect companies create need for constant cyber security<br />
services. Increasing number of home/remote offices require secure<br />
corporate networks and security of remote devices. One example is from<br />
this year, when sloppy remote desktop set-up paralyzed systems of 17<br />
companies.</p><br />
<p>https://www.aripaev.ee/uudised/2022/04/20/ria-lohakas-kaugtoolaua-seadistus-halvas-martsis-vahemalt-17-juhul-ettevotete-it-susteemid</p><br />
<p>Also, no service can exists without robust infrastructure - servers,<br />
databases, applications. As all previously mentioned devices and<br />
services are at constant scanning and surveillance. So, the breach<br />
detection and immediate action demands 24/7 services. Even if lot of<br />
things could be automated, there is a need for human specialists (at<br />
least, at the moment). Third growing field is also a forensic<br />
investigation, as every attack must be investigated in order to be ready<br />
to repel next attacks. So data recovery and evidence collection is<br />
another important field of work that need skilled and professional<br />
workers.</p><br />
<p>Even, if the specifics of the entity, be it CSIRT, CERT or SOC, are<br />
different, the fundamentals of the work are the same. Professional<br />
knowledge of the networks, operational systems, hardware, scripting, and<br />
several other wider IT related knowledge is needed. As there is no<br />
single way to reach to it, every single person can find one’s strongest<br />
sides and develop them with knowledge of weaker side, in order to know,<br />
when to as for help.</p><br />
<br />
</body><br />
</html></div>Mavaldhttps://wiki.itcollege.ee/index.php?title=Hiring_a_Cyber_Security_Incident_Analyst&diff=142168Hiring a Cyber Security Incident Analyst2022-05-01T14:20:30Z<p>Mavald: /* Certificates */</p>
<hr />
<div>==A Cyber Security Incident Analyst==<br />
<br />
[[File:image1.png|600px|thumb|Job advertisement <ref>"Job Advertisement". Available at https://www.projectpeople.com/jobs/</ref>]]<br />
===Cyber security incident analyst in SOC/CSIRT/CERT===<br />
This article delves into the job title of Cyber Security Incident<br />
Analyst and provides an overview of the acronyms SOC/CSIRT/CERT. A brief<br />
history of the job is discussed here, as well as a possible career path,<br />
education, experience, and other characteristics required for work in<br />
computer security-related organizations. The article also provides a<br />
brief history of SOC/CSIRT/CERT, as well as a comparison of their<br />
differences and similarities.<br />
===Cyber Security Incident Analyst Skill Set===<br />
What skill set is expected from the Cyber Security Incident Analyst? Below written lines are taken from the same job advertisement depicted<br />
on the left side of this article:<br />
As a Security Incident Analyst your responsibilities will include:<br />
<ul><br />
<li>Continuous monitoring of security tooling</li><br />
<li>Performing regular and ad-hoc vulnerability assessments</li><br />
<li>Carrying out ‘spot checks’</li><br />
<li>Reporting vulnerabilities to the PVG via the alerts system</li><br />
<li>Maintaining and documenting logging systems</li><br />
<li>Developing centralized logging, reporting and intelligence<br />
platforms</li><br />
<li>‘Light touch’ penetration testing with open source tooling<br />
(Metasploit)</li><br />
</ul><br />
Knowledge &amp; Experience required:<br />
<ul><br />
<li>SOC, CSIRT or CERT operational environment experience</li><br />
<li>Windows / Linux experience</li><br />
<li>TCP /IP networking protocol knowledge</li><br />
<li>Experience reviewing and analyzing Security Events from various<br />
monitoring and logging sources</li><br />
<li>Experience in website and web application security assessment or<br />
penetration testing</li><br />
<li>Experience of using Metasploit</li><br />
<li>Scripting knowledge using BASH, Python, Perl, Ruby</li><br />
<li>Skills in Host and Network Forensics</li><br />
</ul><br />
As one can see the description of the duties is wide and also the<br />
knowledge and experience that is required is noteworthy. So, where to<br />
start to find out the way to get this kind of knowledge and<br />
expertize.<br />
===Possible career path===<br />
Next part of the paper is aiming to depict a possible ways, how to<br />
develop oneself, and move along the career pathway in cybersecurity<br />
field. Topics of development, education, experience and certification<br />
are covered.<br />
[[File:analystimage2.png|700px|thumb|Career path <ref>"Possible Career Path". Available at https://www.cyberseek.org/pathway.html</ref>]]<br />
<br />
===Junior/Senior===<br />
Start with an entry-level job in IT. Hands-on experience is often the<br />
most effective way to prepare for certification exams. Start<br />
accumulating work experience with an entry-level role as a cybersecurity<br />
analyst. Many cybersecurity professionals start off in more general IT<br />
roles. The skills, practices, and technologies you’ll use as a<br />
cybersecurity professional will continue to evolve along with computer<br />
and network technology. The desire to learn, ability to problem solve,<br />
and attention to detail will serve you well in this field. Other, more<br />
technical skills and technologies to learn include:<ref name="certification">Popular Cyber Security Certificates [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications [Accessed 25 April 2022].</ref><br />
<br />
====SIEM tools (security information and event management)====<br />
Security Information and Event Management (SIEM) is a set of tools<br />
and services offering a holistic view of an organization’s information<br />
security. SIEM works by combining two technologies:<br />
<li>Security information management (SIM), which collects data from log<br />
files for analysis and reports on security threats and events, and</li><br />
<li>security event management (SEM), which conducts real-time system<br />
monitoring, notifies network admins about important issues and<br />
establishes correlations between security events. There are a number of<br />
security information and event management solutions on the market.<br />
ArcSight ESM, IBM QRadar and Splunk are among the most popular. <ref name="SIEM">Application security, SIEM [Online]. Available: https://www.imperva.com/learn/application-security/siem/. [Accessed 27 4 2022].</ref></li><br />
<br />
====Firewalls, Intrusion Detection Systems (IDS), and Intrusion Prevention Systems(IPS)====<br />
Firewalls can be two types, hardware and software firewalls. Software<br />
firewall is a firewall that is installed on a computer or server, and<br />
tasked with network security. It works with a wide variety of other<br />
technology security solutions to provide more robust and cohesive<br />
security for enterprises of all sizes. When a software firewall is<br />
installed on a server, it opens up like an umbrella of protection over<br />
all other computers connected to the network. It is able to monitor both<br />
incoming and outgoing traffic for potential risk or suspicious user<br />
behavior, and also makes setting security policies much easier, faster<br />
and more flexible. Hardware firewall is positioned between the network<br />
and devices, allowing traffic to funnel through the firewall for a close<br />
inspection and analysis. A hardware firewall, a term often<br />
interchangeable with network or next-generation firewall, protects the<br />
network gateways for an enterprise. Hardware firewall is physical<br />
hardware, installed between network elements and connected devices, and<br />
is tasked with filtering traffic for cyber threat to the network or<br />
devices. Filtering out unauthorized or suspicious users based on traffic<br />
analysis is one of the biggest benefits of hardware firewall. <ref name="sangfor">Sangfor, "What is Software Firewall? Difference between Hardware Firewall and Software Firewall, [Online]. Available: https://www.sangfor.com/blog/cybersecurity/what-is-software-firewall-difference-between-hardware-firewall-and-software-firewall [Accessed 26 4 2022].</ref><br />
<br />
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems<br />
(IPS) are both parts of the network infrastructure. IDS/IPS compare<br />
network packets to a cyberthreat database containing known signatures of<br />
cyberattacks — and flag any matching packets. IDS doesn’t alter the<br />
network packets in any way, whereas IPS prevents the packet from<br />
delivery based on the contents of the packet, much like how a firewall<br />
prevents traffic by IP address. <ref name="Varonis">Varonis, "What is Software Firewall? IDS vs. IPS: What is the Difference?, [Online]. Available: https://www.varonis.com/blog/ids-vs-ips [Accessed 26 4 2022].</ref><br />
<br />
====Digital forensics====<br />
<p>Digital forensics is a branch of forensic science that focuses on<br />
identifying, acquiring, processing, analyzing, and reporting on data<br />
stored electronically. Electronic evidence is a component of almost all<br />
criminal activities and digital forensics support is crucial for law<br />
enforcement investigations. Electronic evidence can be collected from a<br />
wide array of sources, such as computers, smartphones, remote storage,<br />
unmanned aerial systems, shipborne equipment, and more.</p><br />
<p>https://www.interpol.int/How-we-work/Innovation/Digital-forensics</p><br />
<p>Investigative process of digital forensics can be divided into<br />
several stages. There are four major stages: preservation, collection,<br />
examination, and analysis.</p><br />
<p>https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.258.7882&amp;rep=rep1&amp;type=pdf</p><br />
<p>All these four stages need a deep understanding of computers,<br />
technology across a broad spectrum, and cybersecurity principles and<br />
practices, a working knowledge of computers, networks, and coding,<br />
in-depth investigative abilities, critical-thinking skills and<br />
analytical talent the ability to effectively communicate and work with a<br />
wide range of people.</p><br />
<p>https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me</p></li><br />
<br />
<br />
<br />
====Mobile device management====<br />
Mobile device management (MDM) is software that allows IT<br />
administrators to control, secure and enforce policies on smartphones,<br />
tablets and other endpoints. Mobile device management software emerged<br />
in the early 2000s as a way to control and secure the personal digital<br />
assistants and smartphones that business workers began to use. The<br />
consumer smartphone boom that started with the launch of the Apple<br />
iPhone in 2007 led to the bring your own device (BYOD) trend, which<br />
fueled further interest in MDM.<br />
<p>https://www.techtarget.com/searchmobilecomputing/definition/mobile-device-management</p></li><br />
<br />
====Data management====<br />
Sometimes the data management is neglected, but this part has a<br />
crucial role when learning for good cyber security practices. Majority<br />
of cyber security programs include a special courses on data management.<br />
Data management is a method of organizing and maintaining data processes<br />
that are required in almost every business operations. The benefits of<br />
data management can be found accounting, statistics, logistics planning<br />
and other disciplines including corporate computing.<br />
<p>https://globaluniversities.in/msc-data-management-cyber-security/</p><br />
Data governance (and management) play a fundamental role in<br />
protecting an organization’s data. Ensuring that the right people have<br />
the right access and that appropriate security controls are in place to<br />
protect each system or service, based on the criticality or sensitivity<br />
of the data sets these contain.</p><br />
<p>https://cybersecurity-magazine.com/the-role-of-data-governance-in-cybersecurity/?utm_source=rss&amp;utm_medium=rss&amp;utm_campaign=the-role-of-data-governance-in-cybersecurity</p></li><br />
<br />
<br />
====Application security development====<br />
Application security describes security measures at the application<br />
level that aim to prevent data or code within the app from being stolen<br />
or hijacked. It encompasses the security considerations that happen<br />
during application development and design, but it also involves systems<br />
and approaches to protect apps after they get deployed. Application<br />
security may include hardware, software, and procedures that identify or<br />
minimize security vulnerabilities.<br />
https://www.vmware.com/topics/glossary/content/application-security.html<br />
Application security development is important to ensure that your<br />
application is free from coding errors and bugs. And controls the risk<br />
and helps safeguard against security vulnerabilities. Application<br />
security development is the process of making applications more secure<br />
by finding and fixing security vulnerabilities. This is often done by<br />
enforcing software security best practices and using application<br />
security testing tools.<br />
<p>https://www.perforce.com/blog/kw/application-security-development-best-practices</p><br />
<br />
====Audit and compliance knowledge====<br />
A cyber security audit is designed to be a comprehensive review and<br />
analysis of your business’s IT infrastructure. It identifies threats and<br />
vulnerabilities, exposing weaknesses and high-risk practices.<br />
Regulations such as the EU GDPR (General Data Protection Regulation) can<br />
impose hefty penalties in the event of a breach that results in<br />
exploited data. A cyber security audit will help mitigate the<br />
consequences of a breach and demonstrate that your organization has<br />
taken the necessary steps to protect client and company data.</p><br />
<p>https://cyforsecure.co.uk/services/cyber-assessment/cyber-security-audit/</p><br />
<p>Cybersecurity compliance is the organizational risk management method<br />
aligned with pre-defined security measures &amp; controls on how data<br />
confidentiality is ensured by its administrational procedures.</p><br />
<p>https://nordlayer.com/blog/cybersecurity-compliance-everything-you-need-to-know/</p><br />
<p>All needed skills are developed through courses and<br />
certification.</p></li><br />
</ul><br />
===Entry-Level Incident Response Positions===<br />
<p>It is not always possible to advance to the position of incident<br />
responder in a straight line. Many professionals advance from entry- to<br />
mid-level positions before becoming a real incident responder or a<br />
member of a computer emergency response team (CERT).<br /><br />
These are some examples:</p><br />
<ul><br />
<li><h5 id="network-administrator">Network administrator</h5><br />
<p>This position’s experience will help potential incident responders<br />
develop networking skills. Attention to detail, as well as the ability<br />
to sift through system configurations, site layouts, and general network<br />
and communication setups, are essential in this field.</p></li><br />
<li><h5 id="system-administrator">System administrator</h5><br />
<p>Another crucial beginning point for an incident responder is to learn<br />
how to manage resources inside your organization as well as user<br />
behavior. Understanding the potential damage that users, inadequate<br />
security setups, and ineffective IT policies and procedures can cause on<br />
your network can provide prospective candidates with insight into the<br />
human component of an incident.</p></li><br />
<li><h5 id="security-administrator">Security administrator</h5><br />
<p>In such a position, basic hacking skills, penetration testing, and<br />
intrusion detection are all learned, which are crucial incident<br />
responder skills when trying to replicate a breach or attack.<br />
Understanding the paths a cybercriminal will take when attempting to<br />
damage or obtain access to a system can greatly simplify the work of<br />
reverse engineering the incident.</p></li><br />
</ul><br />
<p>https://resources.infosecinstitute.com/topic/incident-responder-career-roadmap-entry-level-executive/</p><br />
<h3 id="mid-level-incident-response-positions">Mid-Level Incident<br />
Response Positions</h3><br />
<ul><br />
<li><h5<br />
id="computer-security-incident-response-team-csirt-engineer">Computer<br />
security incident response team (CSIRT) engineer</h5></li><br />
<li><h5 id="cyber-incident-responder">Cyber incident responder</h5></li><br />
<li><h5 id="incident-response-engineer">Incident response<br />
engineer</h5></li><br />
</ul><br />
<p>While each of these positions is different, they generally require<br />
very similar skills and characteristics in a candidate. At this level,<br />
personal characteristics such as problem solving, time management, and<br />
even presentation skills become more crucial as one’s career evolves<br />
into a management-facing role.</p><br />
<p>Technical skills include the ability to identify and minimize threats<br />
while maintaining communication with management and the rest of your<br />
team. Data analysis and evidence gathering become increasingly crucial,<br />
and the circumstances in which your services are deployed get more<br />
serious.</p><br />
<p>Problem-solving skills are crucial at this level of incident<br />
response, and as the stakes rise, so does the pressure in each<br />
situation. At this level, programming abilities are essential since<br />
incident responders may be needed to reverse engineer malicious code or<br />
even create patches for vulnerable network applications or services.</p><br />
<p>https://www.coursera.org/articles/popular-cybersecurity-certifications</p><br />
<h3 id="senior-level-incident-response-positions">Senior-Level Incident<br />
Response Positions</h3><br />
<ul><br />
<li><h5 id="intrusion-detection-specialist">Intrusion detection<br />
specialist:</h5></li><br />
</ul><br />
<p>A CISSP certification might help a potential candidate in preparing<br />
for the profession. The role of an intrusion detection specialist is to<br />
find and stop any unwanted communications.</p><br />
<ul><br />
<li><h5 id="incident-manager">Incident manager:</h5></li><br />
</ul><br />
<p>Expected to plan, oversee, manage, and supervise all incident<br />
response team actions. Is in charge of reporting all current events to<br />
senior management and stakeholders, as well as acting as the technical<br />
lead on active incidents for incident responders. Prepares threat and<br />
impact assessments and reports them known to management.</p><br />
<p>https://www.coursera.org/articles/popular-cybersecurity-certifications</p><br />
<br />
==Certificates== <br />
<ref name="Coursera">Coursera, "10 Popular Cybersecurity Certifications [2022 Updated]," [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications. [Accessed 30 Apr 2022].</ref><br />
<ref name="NICCS">NICCS, "Cybersecurity Certifications," [Online]. Available: hhttps://niccs.cisa.gov/about-niccs/cybersecurity-certifications. [Accessed 30 Apr 2022].</ref><br />
There is a vast number of different certificates and the road map to<br />
being a certified professional could be very different<ref name="Coursera">Coursera, "10 Popular Cybersecurity Certifications [2022 Updated]," [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications. [Accessed 30 Apr 2022].</ref><br />
<ref name="NICCS">NICCS, "Cybersecurity Certifications," [Online]. Available: hhttps://niccs.cisa.gov/about-niccs/cybersecurity-certifications. [Accessed 30 Apr 2022].</ref> . One possible<br />
approach is to start with basic certificates from the different branches<br />
of service and move to more specific and demanding focused<br />
certification. Also, some jobs require certain clearances, either from<br />
industry, or from the government. One small selection of different<br />
possible certificates is brought out in following paragraphs.<br />
<br />
Security+ is a CompTIA certification that is considered a basic cert<br />
among cybersecurity professionals. It covers the topics of risk<br />
management and threat assessment.<br />
Network+ is also offered by CompTIA this certification (like the name<br />
implies) focuses on networking infrastructure and operations. It is<br />
considered a foundational certification.<br />
The Certified Information Systems Security Professional (CISSP) is a<br />
more advanced certification designed for cybersecurity professionals<br />
with at least five years of work experience. The certification covers<br />
topics such as architecture, engineering, and management.</p><br />
The Certified Ethical Hacker (CEH) certification is also considered a<br />
more advanced cert because it generally requires that applicants have<br />
multiple years of work experience. The goal of an ethical hacker<br />
certification is to be able to understand how cyber attacks unfold in<br />
order to improve threat assessment and mitigation skills.<ref name="cyberguide">Cybersecurity Guide, "How to become a cybersecurity specialist", [Online]. Available: https://cybersecurityguide.org/careers/security-specialist/. [Accessed 27 April 2022].</ref><br />
This is definitely not all, when one looks for more information, following link could be searched, to get more in depth knowledge about<br />
different possibilities. Hereby, with the help of this matrix a possible taxonomy of different 436 listed certificates in branches are<br />
presented.<ref name="Pauljeremy">"Cybersecurity Roadmap," [Online]. Available: https://pauljerimy.com/2020/10/12/scr-oct-2020-update/. [Accessed 30 Apr 2022].</ref><br />
<br />
[[File:analystimage5.png|1000px|thumb|Certificate matrix <ref>"Certification roadmap". Available at https://pauljerimy.com/security-certification-roadmap</ref>]]<br />
<br />
=== Communication and Network Security===<br />
Communication and network security covers the ability to secure<br />
communication channels and networks. Topics include secure and converges<br />
protocols, wireless networks, cellular networks, hardware operations<br />
(warranty and redundant power), and third-party connectivity. IP<br />
networking are also included in this domain.<br />
===Identity and Access Management===<br />
The identity and access management domain covers the attacks that<br />
target the human gateway to gain access to data. Other topics include<br />
ways to identify users with rights to access the information and<br />
servers. Identity and access management covers the topics of<br />
applications, Single sign-on authentication, privilege escalation,<br />
Kerberos, rule-based or risk-based access control, proofing and<br />
establishment of identity.<br />
===Security Architecture and Engineering===<br />
The security architecture and engineering domain covers important<br />
topics concerning security engineering plans, designs and principles,<br />
Topics include assessing and mitigating information system<br />
vulnerabilities, fundamental concepts of security models and security<br />
architectures in critical areas like access control. Cloud systems,<br />
cryptography, system infiltrations (ransomware, fault-injection and<br />
more) and virtualized systems are also covered in this domain.<br />
===Asset Security===<br />
The Asset Security domain deals with the issues related to the<br />
collection, storage, maintenance, retention and destruction of data. It<br />
also covers knowledge of different roles regarding data handling (owner,<br />
controller and custodian) as well as data protection methods and data<br />
states. Other topics include resource provision, asset classification<br />
and data lifecycle management.<br />
===Security and Risk Management===<br />
The security and risk management domain covers general on skills<br />
related to the implementation of user awareness programs as well as<br />
security procedures. Emphasis is also placed on risk management<br />
concerning the acquisition of new services, hardware and software<br />
(supply chain). Other skills include social engineering defense<br />
mechanisms.<br />
===Security Assessment and Testing===<br />
The security assessment and testing domain deals with all the<br />
techniques and tools used to find system vulnerabilities, weaknesses and<br />
potential areas of concern not addressed by security procedures and<br />
policies. Attack simulations, vulnerability assessment, compliance<br />
checks, and ethical disclosure also fall under this domain.<br />
===Software Security===<br />
The software development security domain deals with implementing<br />
software-based security protocols within environment for which the IT<br />
professional is responsible. Risk analysis, vulnerability identification<br />
and auditing of source codes are all covered in this subset. Additional<br />
topics include software-designed security, maturity models, development<br />
methodologies, open-source and third-party development security.<br />
===Security operations===<br />
The security operations domain covers topics ranging from<br />
investigations and digital forensic to detection and intrusion<br />
prevention tools, sandboxing and firewalls. Topics include user and<br />
entity behavior analytics, threat intelligence (threat hunting and<br />
threat feeds) log management, artifacts (mobile, computer and network),<br />
machine learning and AI-based tools, penetration testing, and<br />
exploitation development. These for sub-domains are lister here.</p><br />
<li>Forensics</li><br />
<li>Incident Handling</li><br />
<li>Penetration Testing</li><br />
<li>Exploitation</li><br />
<br />
==Education==<br />
<p>The entry level monitoring specialist is hired by Estonian<br />
Information System Authority even if there is no formal IT education,<br />
but readiness to learn and moderate knowledge of different operation<br />
systems is enough to start the career.</p><br />
<p>https://www.cv.ee/en/vacancy/792782/riigi-infosusteemi-amet/seirespetsialist-tule-eesti-kuberruumi-valvuriks</p><br />
<p>Nevertheless, like most other high qualification careers jobs falling<br />
under the cybersecurity specialist category require some form of formal<br />
education. However, since cybersecurity specialist jobs can fall across<br />
a wide spectrum of job descriptions and responsibilities, it is possible<br />
to obtain a specialist job after completing many levels of different<br />
computer related education.</p><br />
<p>If one is looking for a cybersecurity related education, for example<br />
in EU, 137 courses/programs could be found that relate to keyword IT or<br />
cybersecurity.</p><br />
<p>https://www.enisa.europa.eu/topics/cybersecurity-education/education-map/education-courses</p><br />
<p>Also, there is a great amount of discussion, if cuber security<br />
professional should have a degree or would be certification just enough.<br />
One interesting table is produces by Franklin University that compares<br />
benefits and/or drawbacks of each type of credential.</p><br />
<figure><br />
<img src="images/image11.png" alt="Comparison MSc vs certificate" /><br />
<figcaption aria-hidden="true">Comparison MSc vs<br />
certificate</figcaption><br />
</figure><br />
<p>Certifications are generally good for people with little practical<br />
experience because they are known quantities in the industry and can<br />
help you get your foot in the door. They set a minimum knowledge bar.<br />
But some certifications are viewed more favorably than others.<br />
Certifications with renewal requirements are viewed better by hiring<br />
managers, but they also more costly in the long run because of the need<br />
for continuing education. Certifications are also good for showing<br />
in-depth expertise in a specialization within cybersecurity. Depending<br />
on your career goals, it may be advantageous to have a master’s<br />
degree—which shows your breadth of knowledge, critical thinking and<br />
leadership skills—and a certificate—which shows specific skill<br />
competency.</p><br />
<p>https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</p><br />
<p>As IT (Cyber) Security is still a relatively young discipline,<br />
universities and colleges are still figuring out which is the best<br />
approach for their degrees. Study programmes and curricula in Cyber<br />
Security are different. In general, here are the duration of Cyber<br />
Security degrees:</p><br />
<ul><br />
<li><p>Bachelor’s degrees in Cyber Security take 3 or 4 years in most<br />
countries.</p></li><br />
<li><p>Master’s courses in Cyber Security take between 1-2 years to<br />
complete.</p></li><br />
<li><p>PhD programmes in Cyber Security last 3-5 years. Some only take 1<br />
or 2 years, but they are less common.</p><br />
<p>https://www.mastersportal.com/articles/2722/why-you-should-study-a-cyber-security-degree-in-2022.html</p></li><br />
</ul><br />
<p>Generalization could me made that on bachelor level the general<br />
knowledge about the cyber issues are obtained. On master level the<br />
specialization courses are taken and the person can choose more specific<br />
topics to study. It is on master level where strengths of the cyber<br />
specialist can be developed further and up-do date knowledge obtained in<br />
specifics. PhD is serious science and involves teaching, lot of<br />
scientific work and writing for publications.</p><br />
==Salary==<br />
<p>Even if the salary can be very different, compared to the skills and<br />
experience, an generalization can be made. Cyber Security professionals<br />
in CSIRT, and in other entities earn quite well, from the start. First,<br />
some comparison from the United States. The average CSIRT analyst salary<br />
in the USA is $97,500 per year or $50 per hour. Entry level positions<br />
start at $48,875 per year while most experienced workers make up to<br />
$135,373 per year.</p><br />
<p>https://www.talent.com/salary?job=csirt+analyst</p><br />
<p>There are multiple positions you can occupy in this field. They have<br />
in common great salaries and high demand for technical skills, attention<br />
to details, problem-solving mentality, and the ability to analyze risks.<br />
Here are the average annual salaries in the United States, according to<br />
Payscale:</p><br />
<p>https://www.payscale.com/</p><br />
<ul><br />
<li><p>Cryptographer – 100,000 USD</p></li><br />
<li><p>Information Security Officer – 91,000 USD</p></li><br />
<li><p>Security Assessor – 90,000 USD</p></li><br />
<li><p>Security Engineer – 88,000 USD</p></li><br />
<li><p>Penetration Tester – 81,000 USD</p></li><br />
<li><p>Forensics Expert – 71,000 USD</p></li><br />
<li><p>Security Administrator – 65,000 USD</p><br />
<p>https://www.mastersportal.com/articles/2722/why-you-should-study-a-cyber-security-degree-in-2022.html</p><br />
<p>When looking into salaries in Estonia, one can find that there is a<br />
discussion that private sector is taking a toll from the public sector,<br />
and that the salaries in important agencies, as Information System<br />
Authority loose their employees to the better paid positions in private<br />
sector.</p><br />
<p>https://digi.geenius.ee/rubriik/uudis/kui-palju-riigi-jaoks-olulised-it-tootajad-tegelikult-palka-saavad/<br />
https://tehnika.postimees.ee/6887428/riigi-it-tootajate-palgamaarad-kasvasid</p><br />
<p>But there is also a different view that average private sector worker<br />
could be hired as a top specialist in public sector and then the payment<br />
is higher. Nevertheless, it seems that the average payment in cyber<br />
security sector is any way higher that in other parts of the<br />
e-services.</p><br />
<p>https://digi.geenius.ee/rubriik/uudis/5000-eurostest-palkadest-it-tootajad-saavadki-palju-palka/</p></li><br />
</ul><br />
==SOC==<br />
<p>A SOC is a facility where an organization’s network, applications,<br />
and endpoints are monitored and defended. The term was adapted from<br />
network operations centers (NOCs), where large telecommunication or<br />
corporate networks are monitored. When network security became more of a<br />
concern, security teams were formed within the NOCs, and eventually spun<br />
off into larger organizations of their own as the responsibilities of<br />
security teams grew increasingly complex and specialized. The security<br />
staff working in a security operations center are often called the SOC<br />
team.</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<p>Functions of the SOC team include, but are not limited to:</p><br />
<ol type="1"><br />
<li>Taking inventory of resources, to get a better understanding of the<br />
structure they are protecting.</li><br />
<li>Maintanence of the system, by constantly making updates and adding<br />
safeguards.</li><br />
<li>Monitoring the network for abnormalities with special tools.</li><br />
<li>Threat analysis of new attacks and vulnerabilities.</li><br />
<li>Responding to attacks, by acting as “first responders”. The SOC team<br />
will shut down and/or isolate endpoints, deleting files and lowering the<br />
impact as fast as possible.</li><br />
<li>Recovery of system stability and lost data. This may be done using<br />
backups, restarting endpoints or reconfiguring systems.</li><br />
<li>Logging all actions on the system, to be later used for analysis or<br />
forensics after an attack.</li><br />
<li>Investigating the root cause of an attack.</li><br />
<li>Auditing their own actions, to be in line with regulations of the<br />
organization, industry or governing body.</li><br />
</ol><br />
<p>https://www.trellix.com/en-us/security-awareness/operations/what-is-soc.html</p><br />
==CSIRT==<br />
<p>A CSIRT is a group that responds to security incidents when they<br />
occur. Key responsibilities of a CSIRT include:</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<ul><br />
===Creating and maintaining an incident response plan (IRP)===<br />
An incident response plan (IRP) is a set of written instructions for<br />
detecting, responding to and limiting the effects of an information<br />
security event. Incident response plans provide instructions for<br />
responding to many potential scenarios, including data breaches, denial<br />
of service/distributed denial of service attacks, firewall breaches,<br />
virus or malware outbreaks or insider threats. Without an incident<br />
response plan in place, organizations may either not detect the attack<br />
in the first place, or not follow proper protocol to contain the threat<br />
and recover from it when a breach is detected.<br />
<p>https://www.stratacore.com/incidentresponseplan</p></li><br />
===Investigating and analyzing incidents===<br />
CSIRTs are also involved in improvement activities. After major<br />
computer security incidents occur, or when incidents are not handled in<br />
a timely or effective manner, a CSIRT will generally perform a<br />
postmortem of the incident and its response. This postmortem will<br />
identify the strengths and weakness of the response effort. Such reviews<br />
can identify weaknesses and holes in systems, infrastructure defenses,<br />
or policies that allowed the incident to take place. It can also<br />
identify problems with communication channels, interfaces, and<br />
procedures that inhibited the efficient resolution of the reported<br />
problem.<br />
<p>https://www.cisa.gov/uscert/bsi/articles/best-practices/incident-management/defining-computer-security-incident-response-teams</p><br />
<br />
===Managing internal communications and updates during or immediately after incidents occur===<br />
===Communicating with employees, shareholders, customers, and the press about incidents as needed===<br />
<p>There are various services within the CSIRT Services Framework that<br />
address communications, as they relate to security operations and<br />
incident response services. Some of these include Information Security<br />
Incident Coordination, Crisis Management Support, Vulnerability<br />
Disclosure, Situational Awareness Communication, and Awareness Building,<br />
to name a few. Sharing information and communicating with the general<br />
public and/or your constituency is appropriate in many different<br />
scenarios. These can range from proactive communications to reactive<br />
communications. Each scenario may be unique, and careful consideration<br />
should be given to when to release information to the public and what<br />
information should be released.</p><br />
<br />
<p>https://resources.sei.cmu.edu/asset_files/Handbook/2021_002_001_651819.pdf</p><br />
<br />
===Remediating incidents===<br />
<p>Threat remediation is a strong and capable tool for fighting the<br />
cyber security compromises. As the word ‘remedy’ suggests, remediation<br />
process involves the treatment of a security breach. With the<br />
remediation practices, your cyber security team is able to eliminate<br />
suspicious activities and malicious attacks in the form of malware,<br />
ransomware, phishing and such. Even if you ‘kill’ the suspicious<br />
activity, the attackers can remain in your systems. If you want to<br />
contaminate and end the problem for good, your remediation processes<br />
must involve the detection of the cause.</p><br />
<p>https://www.logsign.com/blog/what-is-remediation-in-cyber-security/</p><br />
=== Recommending technology, policy, governance, and training changes after security<br />
incidents===<br />
<p>After all these actions, the SCIRT must contribute to the development<br />
of better policies, practices and has to recommend improvements. They<br />
are not working in the vacuum and their work has to create new and<br />
better standards for cyber security.</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p></li><br />
</ul><br />
==CERT==<br />
<p>The term “computer emergency response team” was coined in 1988. In<br />
response to the Morris worm attack that impacted thousands of servers on<br />
the Internet, DARPA funded the formation of the Computer Emergency<br />
Response Team Coordination Center (CERT-CC) at Carnegie Mellon<br />
University. The goal of CERT-CC was to help protect the internet by<br />
collecting and disseminating information on critical security<br />
vulnerabilities. Several other countries formed similar centers using<br />
the same acronym (despite threats of legal action by Carnegie Mellon for<br />
trademark infringement). Now the term CERT refers to any emergency<br />
response team that deals with cyber threats. Many people use CERT-CC<br />
interchangeably with CSIRT, though the charter of a CERT is information<br />
sharing in order to help other response teams respond to threats against<br />
their own infrastructure.</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<p>In general, the designation of CERT is helpful in applying real-world<br />
solutions to various cybersecurity problems. They may be government<br />
contractors or employees of a major corporation. For example, the U.S.<br />
Computer Emergency Readiness Team (US-CERT) operates under the U.S.<br />
Department of Homeland Security.</p><br />
<p>https://www.techopedia.com/definition/31003/computer-emergency-response-team-cert</p><br />
<p>In Estonia CERT is designated as CERT-EE. It was established in 2006,<br />
as an organization responsible for the management of security incidents<br />
in .ee computer networks. It is also a national contact point for<br />
international co-operation in the field of IT security.</p><br />
<p>https://www.ria.ee/en/cyber-security/cert-ee.html</p><br />
===Difference between SOC/CSIRT/CERT===<br />
<p>How CSIRTs differ from CERTs and SOCs There are overlapping<br />
responsibilities between a community emergency response team (CERT),<br />
computer security incident response team (CSIRT), and security<br />
operations center (SOC). To add to this confusion, frequently, the terms<br />
CERT and CSIRT are used interchangeably, despite the important<br />
differences.</p><br />
<figure><br />
<img src="images/image3.png" alt="Overlapping in images/image3.png" /><br />
<figcaption aria-hidden="true">Overlapping in<br />
images/image3.png</figcaption><br />
</figure><br />
==Understand the primary roles and characteristics of a CERT, CSIRT, and SOC.==<br />
<p>So, using strict definitions, a CERT collects and disseminates<br />
security information, typically for the benefit of a country or an<br />
industry. A CSIRT is a cross-functional team that responds to incidents<br />
on behalf of a country or an organization. A SOC is where a country or<br />
organization monitors and defends its network, servers, applications,<br />
and endpoints.</p><br />
<figure><br />
<img src="images/image4.png" alt="table of explanation images/image4" /><br />
<figcaption aria-hidden="true">table of explanation<br />
images/image4</figcaption><br />
</figure><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
==Future==<br />
<p>And the Cyber security problem is only getting bigger. According to a<br />
report published by Accenture, the number of cyber security breaches<br />
increased by 11 percent from 2017 to 2018. The cost of such breaches is<br />
astronomical–about $600 billion worldwide, according to the Economic<br />
Impact of Cybercrime report.</p><br />
<p>https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me</p><br />
<p>Job projections for cybersecurity are staggering. The Bureau of Labor<br />
Statistics in US predicts that careers in the cybersecurity field will<br />
grow by 32% by 2028. That makes cybersecurity one of the top 10<br />
fastest-growing jobs in the country. In the United States alone, jobs<br />
for Information Security Analysts are expected to grow by 15% by<br />
2024.</p><br />
<p>https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</p><br />
<p>Most likely this trend is also similar in other countries.</p><br />
<p>When checking Estonian job portals, there is a constant need for<br />
people for cyber security related positions. Also, linkedin search gives<br />
approximately 30 vacancies immediately. There are banks, logistics<br />
companies, e-shops, and software producers.</p><br />
<p>https://ee.linkedin.com/jobs/cyber-security-jobs?countryRedirected=1&amp;position=1&amp;pageNum=0</p><br />
<p>Trends that affect companies create need for constant cyber security<br />
services. Increasing number of home/remote offices require secure<br />
corporate networks and security of remote devices. One example is from<br />
this year, when sloppy remote desktop set-up paralyzed systems of 17<br />
companies.</p><br />
<p>https://www.aripaev.ee/uudised/2022/04/20/ria-lohakas-kaugtoolaua-seadistus-halvas-martsis-vahemalt-17-juhul-ettevotete-it-susteemid</p><br />
<p>Also, no service can exists without robust infrastructure - servers,<br />
databases, applications. As all previously mentioned devices and<br />
services are at constant scanning and surveillance. So, the breach<br />
detection and immediate action demands 24/7 services. Even if lot of<br />
things could be automated, there is a need for human specialists (at<br />
least, at the moment). Third growing field is also a forensic<br />
investigation, as every attack must be investigated in order to be ready<br />
to repel next attacks. So data recovery and evidence collection is<br />
another important field of work that need skilled and professional<br />
workers.</p><br />
<p>Even, if the specifics of the entity, be it CSIRT, CERT or SOC, are<br />
different, the fundamentals of the work are the same. Professional<br />
knowledge of the networks, operational systems, hardware, scripting, and<br />
several other wider IT related knowledge is needed. As there is no<br />
single way to reach to it, every single person can find one’s strongest<br />
sides and develop them with knowledge of weaker side, in order to know,<br />
when to as for help.</p><br />
<br />
</body><br />
</html></div>Mavaldhttps://wiki.itcollege.ee/index.php?title=Hiring_a_Cyber_Security_Incident_Analyst&diff=142167Hiring a Cyber Security Incident Analyst2022-05-01T14:17:48Z<p>Mavald: /* Certificates */</p>
<hr />
<div>==A Cyber Security Incident Analyst==<br />
<br />
[[File:image1.png|600px|thumb|Job advertisement <ref>"Job Advertisement". Available at https://www.projectpeople.com/jobs/</ref>]]<br />
===Cyber security incident analyst in SOC/CSIRT/CERT===<br />
This article delves into the job title of Cyber Security Incident<br />
Analyst and provides an overview of the acronyms SOC/CSIRT/CERT. A brief<br />
history of the job is discussed here, as well as a possible career path,<br />
education, experience, and other characteristics required for work in<br />
computer security-related organizations. The article also provides a<br />
brief history of SOC/CSIRT/CERT, as well as a comparison of their<br />
differences and similarities.<br />
===Cyber Security Incident Analyst Skill Set===<br />
What skill set is expected from the Cyber Security Incident Analyst? Below written lines are taken from the same job advertisement depicted<br />
on the left side of this article:<br />
As a Security Incident Analyst your responsibilities will include:<br />
<ul><br />
<li>Continuous monitoring of security tooling</li><br />
<li>Performing regular and ad-hoc vulnerability assessments</li><br />
<li>Carrying out ‘spot checks’</li><br />
<li>Reporting vulnerabilities to the PVG via the alerts system</li><br />
<li>Maintaining and documenting logging systems</li><br />
<li>Developing centralized logging, reporting and intelligence<br />
platforms</li><br />
<li>‘Light touch’ penetration testing with open source tooling<br />
(Metasploit)</li><br />
</ul><br />
Knowledge &amp; Experience required:<br />
<ul><br />
<li>SOC, CSIRT or CERT operational environment experience</li><br />
<li>Windows / Linux experience</li><br />
<li>TCP /IP networking protocol knowledge</li><br />
<li>Experience reviewing and analyzing Security Events from various<br />
monitoring and logging sources</li><br />
<li>Experience in website and web application security assessment or<br />
penetration testing</li><br />
<li>Experience of using Metasploit</li><br />
<li>Scripting knowledge using BASH, Python, Perl, Ruby</li><br />
<li>Skills in Host and Network Forensics</li><br />
</ul><br />
As one can see the description of the duties is wide and also the<br />
knowledge and experience that is required is noteworthy. So, where to<br />
start to find out the way to get this kind of knowledge and<br />
expertize.<br />
===Possible career path===<br />
Next part of the paper is aiming to depict a possible ways, how to<br />
develop oneself, and move along the career pathway in cybersecurity<br />
field. Topics of development, education, experience and certification<br />
are covered.<br />
[[File:analystimage2.png|700px|thumb|Career path <ref>"Possible Career Path". Available at https://www.cyberseek.org/pathway.html</ref>]]<br />
<br />
===Junior/Senior===<br />
Start with an entry-level job in IT. Hands-on experience is often the<br />
most effective way to prepare for certification exams. Start<br />
accumulating work experience with an entry-level role as a cybersecurity<br />
analyst. Many cybersecurity professionals start off in more general IT<br />
roles. The skills, practices, and technologies you’ll use as a<br />
cybersecurity professional will continue to evolve along with computer<br />
and network technology. The desire to learn, ability to problem solve,<br />
and attention to detail will serve you well in this field. Other, more<br />
technical skills and technologies to learn include:<ref name="certification">Popular Cyber Security Certificates [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications [Accessed 25 April 2022].</ref><br />
<br />
====SIEM tools (security information and event management)====<br />
Security Information and Event Management (SIEM) is a set of tools<br />
and services offering a holistic view of an organization’s information<br />
security. SIEM works by combining two technologies:<br />
<li>Security information management (SIM), which collects data from log<br />
files for analysis and reports on security threats and events, and</li><br />
<li>security event management (SEM), which conducts real-time system<br />
monitoring, notifies network admins about important issues and<br />
establishes correlations between security events. There are a number of<br />
security information and event management solutions on the market.<br />
ArcSight ESM, IBM QRadar and Splunk are among the most popular. <ref name="SIEM">Application security, SIEM [Online]. Available: https://www.imperva.com/learn/application-security/siem/. [Accessed 27 4 2022].</ref></li><br />
<br />
====Firewalls, Intrusion Detection Systems (IDS), and Intrusion Prevention Systems(IPS)====<br />
Firewalls can be two types, hardware and software firewalls. Software<br />
firewall is a firewall that is installed on a computer or server, and<br />
tasked with network security. It works with a wide variety of other<br />
technology security solutions to provide more robust and cohesive<br />
security for enterprises of all sizes. When a software firewall is<br />
installed on a server, it opens up like an umbrella of protection over<br />
all other computers connected to the network. It is able to monitor both<br />
incoming and outgoing traffic for potential risk or suspicious user<br />
behavior, and also makes setting security policies much easier, faster<br />
and more flexible. Hardware firewall is positioned between the network<br />
and devices, allowing traffic to funnel through the firewall for a close<br />
inspection and analysis. A hardware firewall, a term often<br />
interchangeable with network or next-generation firewall, protects the<br />
network gateways for an enterprise. Hardware firewall is physical<br />
hardware, installed between network elements and connected devices, and<br />
is tasked with filtering traffic for cyber threat to the network or<br />
devices. Filtering out unauthorized or suspicious users based on traffic<br />
analysis is one of the biggest benefits of hardware firewall. <ref name="sangfor">Sangfor, "What is Software Firewall? Difference between Hardware Firewall and Software Firewall, [Online]. Available: https://www.sangfor.com/blog/cybersecurity/what-is-software-firewall-difference-between-hardware-firewall-and-software-firewall [Accessed 26 4 2022].</ref><br />
<br />
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems<br />
(IPS) are both parts of the network infrastructure. IDS/IPS compare<br />
network packets to a cyberthreat database containing known signatures of<br />
cyberattacks — and flag any matching packets. IDS doesn’t alter the<br />
network packets in any way, whereas IPS prevents the packet from<br />
delivery based on the contents of the packet, much like how a firewall<br />
prevents traffic by IP address. <ref name="Varonis">Varonis, "What is Software Firewall? IDS vs. IPS: What is the Difference?, [Online]. Available: https://www.varonis.com/blog/ids-vs-ips [Accessed 26 4 2022].</ref><br />
<br />
====Digital forensics====<br />
<p>Digital forensics is a branch of forensic science that focuses on<br />
identifying, acquiring, processing, analyzing, and reporting on data<br />
stored electronically. Electronic evidence is a component of almost all<br />
criminal activities and digital forensics support is crucial for law<br />
enforcement investigations. Electronic evidence can be collected from a<br />
wide array of sources, such as computers, smartphones, remote storage,<br />
unmanned aerial systems, shipborne equipment, and more.</p><br />
<p>https://www.interpol.int/How-we-work/Innovation/Digital-forensics</p><br />
<p>Investigative process of digital forensics can be divided into<br />
several stages. There are four major stages: preservation, collection,<br />
examination, and analysis.</p><br />
<p>https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.258.7882&amp;rep=rep1&amp;type=pdf</p><br />
<p>All these four stages need a deep understanding of computers,<br />
technology across a broad spectrum, and cybersecurity principles and<br />
practices, a working knowledge of computers, networks, and coding,<br />
in-depth investigative abilities, critical-thinking skills and<br />
analytical talent the ability to effectively communicate and work with a<br />
wide range of people.</p><br />
<p>https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me</p></li><br />
<br />
<br />
<br />
====Mobile device management====<br />
Mobile device management (MDM) is software that allows IT<br />
administrators to control, secure and enforce policies on smartphones,<br />
tablets and other endpoints. Mobile device management software emerged<br />
in the early 2000s as a way to control and secure the personal digital<br />
assistants and smartphones that business workers began to use. The<br />
consumer smartphone boom that started with the launch of the Apple<br />
iPhone in 2007 led to the bring your own device (BYOD) trend, which<br />
fueled further interest in MDM.<br />
<p>https://www.techtarget.com/searchmobilecomputing/definition/mobile-device-management</p></li><br />
<br />
====Data management====<br />
Sometimes the data management is neglected, but this part has a<br />
crucial role when learning for good cyber security practices. Majority<br />
of cyber security programs include a special courses on data management.<br />
Data management is a method of organizing and maintaining data processes<br />
that are required in almost every business operations. The benefits of<br />
data management can be found accounting, statistics, logistics planning<br />
and other disciplines including corporate computing.<br />
<p>https://globaluniversities.in/msc-data-management-cyber-security/</p><br />
Data governance (and management) play a fundamental role in<br />
protecting an organization’s data. Ensuring that the right people have<br />
the right access and that appropriate security controls are in place to<br />
protect each system or service, based on the criticality or sensitivity<br />
of the data sets these contain.</p><br />
<p>https://cybersecurity-magazine.com/the-role-of-data-governance-in-cybersecurity/?utm_source=rss&amp;utm_medium=rss&amp;utm_campaign=the-role-of-data-governance-in-cybersecurity</p></li><br />
<br />
<br />
====Application security development====<br />
Application security describes security measures at the application<br />
level that aim to prevent data or code within the app from being stolen<br />
or hijacked. It encompasses the security considerations that happen<br />
during application development and design, but it also involves systems<br />
and approaches to protect apps after they get deployed. Application<br />
security may include hardware, software, and procedures that identify or<br />
minimize security vulnerabilities.<br />
https://www.vmware.com/topics/glossary/content/application-security.html<br />
Application security development is important to ensure that your<br />
application is free from coding errors and bugs. And controls the risk<br />
and helps safeguard against security vulnerabilities. Application<br />
security development is the process of making applications more secure<br />
by finding and fixing security vulnerabilities. This is often done by<br />
enforcing software security best practices and using application<br />
security testing tools.<br />
<p>https://www.perforce.com/blog/kw/application-security-development-best-practices</p><br />
<br />
====Audit and compliance knowledge====<br />
A cyber security audit is designed to be a comprehensive review and<br />
analysis of your business’s IT infrastructure. It identifies threats and<br />
vulnerabilities, exposing weaknesses and high-risk practices.<br />
Regulations such as the EU GDPR (General Data Protection Regulation) can<br />
impose hefty penalties in the event of a breach that results in<br />
exploited data. A cyber security audit will help mitigate the<br />
consequences of a breach and demonstrate that your organization has<br />
taken the necessary steps to protect client and company data.</p><br />
<p>https://cyforsecure.co.uk/services/cyber-assessment/cyber-security-audit/</p><br />
<p>Cybersecurity compliance is the organizational risk management method<br />
aligned with pre-defined security measures &amp; controls on how data<br />
confidentiality is ensured by its administrational procedures.</p><br />
<p>https://nordlayer.com/blog/cybersecurity-compliance-everything-you-need-to-know/</p><br />
<p>All needed skills are developed through courses and<br />
certification.</p></li><br />
</ul><br />
===Entry-Level Incident Response Positions===<br />
<p>It is not always possible to advance to the position of incident<br />
responder in a straight line. Many professionals advance from entry- to<br />
mid-level positions before becoming a real incident responder or a<br />
member of a computer emergency response team (CERT).<br /><br />
These are some examples:</p><br />
<ul><br />
<li><h5 id="network-administrator">Network administrator</h5><br />
<p>This position’s experience will help potential incident responders<br />
develop networking skills. Attention to detail, as well as the ability<br />
to sift through system configurations, site layouts, and general network<br />
and communication setups, are essential in this field.</p></li><br />
<li><h5 id="system-administrator">System administrator</h5><br />
<p>Another crucial beginning point for an incident responder is to learn<br />
how to manage resources inside your organization as well as user<br />
behavior. Understanding the potential damage that users, inadequate<br />
security setups, and ineffective IT policies and procedures can cause on<br />
your network can provide prospective candidates with insight into the<br />
human component of an incident.</p></li><br />
<li><h5 id="security-administrator">Security administrator</h5><br />
<p>In such a position, basic hacking skills, penetration testing, and<br />
intrusion detection are all learned, which are crucial incident<br />
responder skills when trying to replicate a breach or attack.<br />
Understanding the paths a cybercriminal will take when attempting to<br />
damage or obtain access to a system can greatly simplify the work of<br />
reverse engineering the incident.</p></li><br />
</ul><br />
<p>https://resources.infosecinstitute.com/topic/incident-responder-career-roadmap-entry-level-executive/</p><br />
<h3 id="mid-level-incident-response-positions">Mid-Level Incident<br />
Response Positions</h3><br />
<ul><br />
<li><h5<br />
id="computer-security-incident-response-team-csirt-engineer">Computer<br />
security incident response team (CSIRT) engineer</h5></li><br />
<li><h5 id="cyber-incident-responder">Cyber incident responder</h5></li><br />
<li><h5 id="incident-response-engineer">Incident response<br />
engineer</h5></li><br />
</ul><br />
<p>While each of these positions is different, they generally require<br />
very similar skills and characteristics in a candidate. At this level,<br />
personal characteristics such as problem solving, time management, and<br />
even presentation skills become more crucial as one’s career evolves<br />
into a management-facing role.</p><br />
<p>Technical skills include the ability to identify and minimize threats<br />
while maintaining communication with management and the rest of your<br />
team. Data analysis and evidence gathering become increasingly crucial,<br />
and the circumstances in which your services are deployed get more<br />
serious.</p><br />
<p>Problem-solving skills are crucial at this level of incident<br />
response, and as the stakes rise, so does the pressure in each<br />
situation. At this level, programming abilities are essential since<br />
incident responders may be needed to reverse engineer malicious code or<br />
even create patches for vulnerable network applications or services.</p><br />
<p>https://www.coursera.org/articles/popular-cybersecurity-certifications</p><br />
<h3 id="senior-level-incident-response-positions">Senior-Level Incident<br />
Response Positions</h3><br />
<ul><br />
<li><h5 id="intrusion-detection-specialist">Intrusion detection<br />
specialist:</h5></li><br />
</ul><br />
<p>A CISSP certification might help a potential candidate in preparing<br />
for the profession. The role of an intrusion detection specialist is to<br />
find and stop any unwanted communications.</p><br />
<ul><br />
<li><h5 id="incident-manager">Incident manager:</h5></li><br />
</ul><br />
<p>Expected to plan, oversee, manage, and supervise all incident<br />
response team actions. Is in charge of reporting all current events to<br />
senior management and stakeholders, as well as acting as the technical<br />
lead on active incidents for incident responders. Prepares threat and<br />
impact assessments and reports them known to management.</p><br />
<p>https://www.coursera.org/articles/popular-cybersecurity-certifications</p><br />
<br />
==Certificates== <br />
<ref name="Coursera">Coursera, "10 Popular Cybersecurity Certifications [2022 Updated]," [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications. [Accessed 30 Apr 2022].</ref><br />
<ref name="NICCS">NICCS, "Cybersecurity Certifications," [Online]. Available: hhttps://niccs.cisa.gov/about-niccs/cybersecurity-certifications. [Accessed 30 Apr 2022].</ref><br />
<br />
<p><br /><br />
<br />
There is a vast number of different certificates and the road map to<br />
being a certified professional could be very different. One possible<br />
approach is to start with basic certificates from the different branches<br />
of service and move to more specific and demanding focused<br />
certification. Also, some jobs require certain clearances, either from<br />
industry, or from the government. One small selection of different<br />
possible certificates is brought out in following paragraphs.<br />
<br />
Security+ is a CompTIA certification that is considered a basic cert<br />
among cybersecurity professionals. It covers the topics of risk<br />
management and threat assessment.<br />
Network+ is also offered by CompTIA this certification (like the name<br />
implies) focuses on networking infrastructure and operations. It is<br />
considered a foundational certification.<br />
The Certified Information Systems Security Professional (CISSP) is a<br />
more advanced certification designed for cybersecurity professionals<br />
with at least five years of work experience. The certification covers<br />
topics such as architecture, engineering, and management.</p><br />
The Certified Ethical Hacker (CEH) certification is also considered a<br />
more advanced cert because it generally requires that applicants have<br />
multiple years of work experience. The goal of an ethical hacker<br />
certification is to be able to understand how cyber attacks unfold in<br />
order to improve threat assessment and mitigation skills.<ref name="cyberguide">Cybersecurity Guide, "How to become a cybersecurity specialist", [Online]. Available: https://cybersecurityguide.org/careers/security-specialist/. [Accessed 27 April 2022].</ref><br />
This is definitely not all, when one looks for more information, following link could be searched, to get more in depth knowledge about<br />
different possibilities. Hereby, with the help of this matrix a possible taxonomy of different 436 listed certificates in branches are<br />
presented.<ref name="Pauljeremy">"Cybersecurity Roadmap," [Online]. Available: https://pauljerimy.com/security-certification-roadmap. [Accessed 30 Apr 2022].</ref><br />
<br />
[[File:analystimage5.png|1000px|thumb|Certificate matrix <ref>"Certification roadmap". Available at https://pauljerimy.com/security-certification-roadmap</ref>]]<br />
<br />
=== Communication and Network Security===<br />
Communication and network security covers the ability to secure<br />
communication channels and networks. Topics include secure and converges<br />
protocols, wireless networks, cellular networks, hardware operations<br />
(warranty and redundant power), and third-party connectivity. IP<br />
networking are also included in this domain.<br />
===Identity and Access Management===<br />
The identity and access management domain covers the attacks that<br />
target the human gateway to gain access to data. Other topics include<br />
ways to identify users with rights to access the information and<br />
servers. Identity and access management covers the topics of<br />
applications, Single sign-on authentication, privilege escalation,<br />
Kerberos, rule-based or risk-based access control, proofing and<br />
establishment of identity.<br />
===Security Architecture and Engineering===<br />
The security architecture and engineering domain covers important<br />
topics concerning security engineering plans, designs and principles,<br />
Topics include assessing and mitigating information system<br />
vulnerabilities, fundamental concepts of security models and security<br />
architectures in critical areas like access control. Cloud systems,<br />
cryptography, system infiltrations (ransomware, fault-injection and<br />
more) and virtualized systems are also covered in this domain.<br />
===Asset Security===<br />
The Asset Security domain deals with the issues related to the<br />
collection, storage, maintenance, retention and destruction of data. It<br />
also covers knowledge of different roles regarding data handling (owner,<br />
controller and custodian) as well as data protection methods and data<br />
states. Other topics include resource provision, asset classification<br />
and data lifecycle management.<br />
===Security and Risk Management===<br />
The security and risk management domain covers general on skills<br />
related to the implementation of user awareness programs as well as<br />
security procedures. Emphasis is also placed on risk management<br />
concerning the acquisition of new services, hardware and software<br />
(supply chain). Other skills include social engineering defense<br />
mechanisms.<br />
===Security Assessment and Testing===<br />
The security assessment and testing domain deals with all the<br />
techniques and tools used to find system vulnerabilities, weaknesses and<br />
potential areas of concern not addressed by security procedures and<br />
policies. Attack simulations, vulnerability assessment, compliance<br />
checks, and ethical disclosure also fall under this domain.<br />
===Software Security===<br />
The software development security domain deals with implementing<br />
software-based security protocols within environment for which the IT<br />
professional is responsible. Risk analysis, vulnerability identification<br />
and auditing of source codes are all covered in this subset. Additional<br />
topics include software-designed security, maturity models, development<br />
methodologies, open-source and third-party development security.<br />
===Security operations===<br />
The security operations domain covers topics ranging from<br />
investigations and digital forensic to detection and intrusion<br />
prevention tools, sandboxing and firewalls. Topics include user and<br />
entity behavior analytics, threat intelligence (threat hunting and<br />
threat feeds) log management, artifacts (mobile, computer and network),<br />
machine learning and AI-based tools, penetration testing, and<br />
exploitation development. These for sub-domains are lister here.</p><br />
<li>Forensics</li><br />
<li>Incident Handling</li><br />
<li>Penetration Testing</li><br />
<li>Exploitation</li><br />
<br />
==Education==<br />
<p>The entry level monitoring specialist is hired by Estonian<br />
Information System Authority even if there is no formal IT education,<br />
but readiness to learn and moderate knowledge of different operation<br />
systems is enough to start the career.</p><br />
<p>https://www.cv.ee/en/vacancy/792782/riigi-infosusteemi-amet/seirespetsialist-tule-eesti-kuberruumi-valvuriks</p><br />
<p>Nevertheless, like most other high qualification careers jobs falling<br />
under the cybersecurity specialist category require some form of formal<br />
education. However, since cybersecurity specialist jobs can fall across<br />
a wide spectrum of job descriptions and responsibilities, it is possible<br />
to obtain a specialist job after completing many levels of different<br />
computer related education.</p><br />
<p>If one is looking for a cybersecurity related education, for example<br />
in EU, 137 courses/programs could be found that relate to keyword IT or<br />
cybersecurity.</p><br />
<p>https://www.enisa.europa.eu/topics/cybersecurity-education/education-map/education-courses</p><br />
<p>Also, there is a great amount of discussion, if cuber security<br />
professional should have a degree or would be certification just enough.<br />
One interesting table is produces by Franklin University that compares<br />
benefits and/or drawbacks of each type of credential.</p><br />
<figure><br />
<img src="images/image11.png" alt="Comparison MSc vs certificate" /><br />
<figcaption aria-hidden="true">Comparison MSc vs<br />
certificate</figcaption><br />
</figure><br />
<p>Certifications are generally good for people with little practical<br />
experience because they are known quantities in the industry and can<br />
help you get your foot in the door. They set a minimum knowledge bar.<br />
But some certifications are viewed more favorably than others.<br />
Certifications with renewal requirements are viewed better by hiring<br />
managers, but they also more costly in the long run because of the need<br />
for continuing education. Certifications are also good for showing<br />
in-depth expertise in a specialization within cybersecurity. Depending<br />
on your career goals, it may be advantageous to have a master’s<br />
degree—which shows your breadth of knowledge, critical thinking and<br />
leadership skills—and a certificate—which shows specific skill<br />
competency.</p><br />
<p>https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</p><br />
<p>As IT (Cyber) Security is still a relatively young discipline,<br />
universities and colleges are still figuring out which is the best<br />
approach for their degrees. Study programmes and curricula in Cyber<br />
Security are different. In general, here are the duration of Cyber<br />
Security degrees:</p><br />
<ul><br />
<li><p>Bachelor’s degrees in Cyber Security take 3 or 4 years in most<br />
countries.</p></li><br />
<li><p>Master’s courses in Cyber Security take between 1-2 years to<br />
complete.</p></li><br />
<li><p>PhD programmes in Cyber Security last 3-5 years. Some only take 1<br />
or 2 years, but they are less common.</p><br />
<p>https://www.mastersportal.com/articles/2722/why-you-should-study-a-cyber-security-degree-in-2022.html</p></li><br />
</ul><br />
<p>Generalization could me made that on bachelor level the general<br />
knowledge about the cyber issues are obtained. On master level the<br />
specialization courses are taken and the person can choose more specific<br />
topics to study. It is on master level where strengths of the cyber<br />
specialist can be developed further and up-do date knowledge obtained in<br />
specifics. PhD is serious science and involves teaching, lot of<br />
scientific work and writing for publications.</p><br />
==Salary==<br />
<p>Even if the salary can be very different, compared to the skills and<br />
experience, an generalization can be made. Cyber Security professionals<br />
in CSIRT, and in other entities earn quite well, from the start. First,<br />
some comparison from the United States. The average CSIRT analyst salary<br />
in the USA is $97,500 per year or $50 per hour. Entry level positions<br />
start at $48,875 per year while most experienced workers make up to<br />
$135,373 per year.</p><br />
<p>https://www.talent.com/salary?job=csirt+analyst</p><br />
<p>There are multiple positions you can occupy in this field. They have<br />
in common great salaries and high demand for technical skills, attention<br />
to details, problem-solving mentality, and the ability to analyze risks.<br />
Here are the average annual salaries in the United States, according to<br />
Payscale:</p><br />
<p>https://www.payscale.com/</p><br />
<ul><br />
<li><p>Cryptographer – 100,000 USD</p></li><br />
<li><p>Information Security Officer – 91,000 USD</p></li><br />
<li><p>Security Assessor – 90,000 USD</p></li><br />
<li><p>Security Engineer – 88,000 USD</p></li><br />
<li><p>Penetration Tester – 81,000 USD</p></li><br />
<li><p>Forensics Expert – 71,000 USD</p></li><br />
<li><p>Security Administrator – 65,000 USD</p><br />
<p>https://www.mastersportal.com/articles/2722/why-you-should-study-a-cyber-security-degree-in-2022.html</p><br />
<p>When looking into salaries in Estonia, one can find that there is a<br />
discussion that private sector is taking a toll from the public sector,<br />
and that the salaries in important agencies, as Information System<br />
Authority loose their employees to the better paid positions in private<br />
sector.</p><br />
<p>https://digi.geenius.ee/rubriik/uudis/kui-palju-riigi-jaoks-olulised-it-tootajad-tegelikult-palka-saavad/<br />
https://tehnika.postimees.ee/6887428/riigi-it-tootajate-palgamaarad-kasvasid</p><br />
<p>But there is also a different view that average private sector worker<br />
could be hired as a top specialist in public sector and then the payment<br />
is higher. Nevertheless, it seems that the average payment in cyber<br />
security sector is any way higher that in other parts of the<br />
e-services.</p><br />
<p>https://digi.geenius.ee/rubriik/uudis/5000-eurostest-palkadest-it-tootajad-saavadki-palju-palka/</p></li><br />
</ul><br />
==SOC==<br />
<p>A SOC is a facility where an organization’s network, applications,<br />
and endpoints are monitored and defended. The term was adapted from<br />
network operations centers (NOCs), where large telecommunication or<br />
corporate networks are monitored. When network security became more of a<br />
concern, security teams were formed within the NOCs, and eventually spun<br />
off into larger organizations of their own as the responsibilities of<br />
security teams grew increasingly complex and specialized. The security<br />
staff working in a security operations center are often called the SOC<br />
team.</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<p>Functions of the SOC team include, but are not limited to:</p><br />
<ol type="1"><br />
<li>Taking inventory of resources, to get a better understanding of the<br />
structure they are protecting.</li><br />
<li>Maintanence of the system, by constantly making updates and adding<br />
safeguards.</li><br />
<li>Monitoring the network for abnormalities with special tools.</li><br />
<li>Threat analysis of new attacks and vulnerabilities.</li><br />
<li>Responding to attacks, by acting as “first responders”. The SOC team<br />
will shut down and/or isolate endpoints, deleting files and lowering the<br />
impact as fast as possible.</li><br />
<li>Recovery of system stability and lost data. This may be done using<br />
backups, restarting endpoints or reconfiguring systems.</li><br />
<li>Logging all actions on the system, to be later used for analysis or<br />
forensics after an attack.</li><br />
<li>Investigating the root cause of an attack.</li><br />
<li>Auditing their own actions, to be in line with regulations of the<br />
organization, industry or governing body.</li><br />
</ol><br />
<p>https://www.trellix.com/en-us/security-awareness/operations/what-is-soc.html</p><br />
==CSIRT==<br />
<p>A CSIRT is a group that responds to security incidents when they<br />
occur. Key responsibilities of a CSIRT include:</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<ul><br />
===Creating and maintaining an incident response plan (IRP)===<br />
An incident response plan (IRP) is a set of written instructions for<br />
detecting, responding to and limiting the effects of an information<br />
security event. Incident response plans provide instructions for<br />
responding to many potential scenarios, including data breaches, denial<br />
of service/distributed denial of service attacks, firewall breaches,<br />
virus or malware outbreaks or insider threats. Without an incident<br />
response plan in place, organizations may either not detect the attack<br />
in the first place, or not follow proper protocol to contain the threat<br />
and recover from it when a breach is detected.<br />
<p>https://www.stratacore.com/incidentresponseplan</p></li><br />
===Investigating and analyzing incidents===<br />
CSIRTs are also involved in improvement activities. After major<br />
computer security incidents occur, or when incidents are not handled in<br />
a timely or effective manner, a CSIRT will generally perform a<br />
postmortem of the incident and its response. This postmortem will<br />
identify the strengths and weakness of the response effort. Such reviews<br />
can identify weaknesses and holes in systems, infrastructure defenses,<br />
or policies that allowed the incident to take place. It can also<br />
identify problems with communication channels, interfaces, and<br />
procedures that inhibited the efficient resolution of the reported<br />
problem.<br />
<p>https://www.cisa.gov/uscert/bsi/articles/best-practices/incident-management/defining-computer-security-incident-response-teams</p><br />
<br />
===Managing internal communications and updates during or immediately after incidents occur===<br />
===Communicating with employees, shareholders, customers, and the press about incidents as needed===<br />
<p>There are various services within the CSIRT Services Framework that<br />
address communications, as they relate to security operations and<br />
incident response services. Some of these include Information Security<br />
Incident Coordination, Crisis Management Support, Vulnerability<br />
Disclosure, Situational Awareness Communication, and Awareness Building,<br />
to name a few. Sharing information and communicating with the general<br />
public and/or your constituency is appropriate in many different<br />
scenarios. These can range from proactive communications to reactive<br />
communications. Each scenario may be unique, and careful consideration<br />
should be given to when to release information to the public and what<br />
information should be released.</p><br />
<br />
<p>https://resources.sei.cmu.edu/asset_files/Handbook/2021_002_001_651819.pdf</p><br />
<br />
===Remediating incidents===<br />
<p>Threat remediation is a strong and capable tool for fighting the<br />
cyber security compromises. As the word ‘remedy’ suggests, remediation<br />
process involves the treatment of a security breach. With the<br />
remediation practices, your cyber security team is able to eliminate<br />
suspicious activities and malicious attacks in the form of malware,<br />
ransomware, phishing and such. Even if you ‘kill’ the suspicious<br />
activity, the attackers can remain in your systems. If you want to<br />
contaminate and end the problem for good, your remediation processes<br />
must involve the detection of the cause.</p><br />
<p>https://www.logsign.com/blog/what-is-remediation-in-cyber-security/</p><br />
=== Recommending technology, policy, governance, and training changes after security<br />
incidents===<br />
<p>After all these actions, the SCIRT must contribute to the development<br />
of better policies, practices and has to recommend improvements. They<br />
are not working in the vacuum and their work has to create new and<br />
better standards for cyber security.</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p></li><br />
</ul><br />
==CERT==<br />
<p>The term “computer emergency response team” was coined in 1988. In<br />
response to the Morris worm attack that impacted thousands of servers on<br />
the Internet, DARPA funded the formation of the Computer Emergency<br />
Response Team Coordination Center (CERT-CC) at Carnegie Mellon<br />
University. The goal of CERT-CC was to help protect the internet by<br />
collecting and disseminating information on critical security<br />
vulnerabilities. Several other countries formed similar centers using<br />
the same acronym (despite threats of legal action by Carnegie Mellon for<br />
trademark infringement). Now the term CERT refers to any emergency<br />
response team that deals with cyber threats. Many people use CERT-CC<br />
interchangeably with CSIRT, though the charter of a CERT is information<br />
sharing in order to help other response teams respond to threats against<br />
their own infrastructure.</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<p>In general, the designation of CERT is helpful in applying real-world<br />
solutions to various cybersecurity problems. They may be government<br />
contractors or employees of a major corporation. For example, the U.S.<br />
Computer Emergency Readiness Team (US-CERT) operates under the U.S.<br />
Department of Homeland Security.</p><br />
<p>https://www.techopedia.com/definition/31003/computer-emergency-response-team-cert</p><br />
<p>In Estonia CERT is designated as CERT-EE. It was established in 2006,<br />
as an organization responsible for the management of security incidents<br />
in .ee computer networks. It is also a national contact point for<br />
international co-operation in the field of IT security.</p><br />
<p>https://www.ria.ee/en/cyber-security/cert-ee.html</p><br />
===Difference between SOC/CSIRT/CERT===<br />
<p>How CSIRTs differ from CERTs and SOCs There are overlapping<br />
responsibilities between a community emergency response team (CERT),<br />
computer security incident response team (CSIRT), and security<br />
operations center (SOC). To add to this confusion, frequently, the terms<br />
CERT and CSIRT are used interchangeably, despite the important<br />
differences.</p><br />
<figure><br />
<img src="images/image3.png" alt="Overlapping in images/image3.png" /><br />
<figcaption aria-hidden="true">Overlapping in<br />
images/image3.png</figcaption><br />
</figure><br />
==Understand the primary roles and characteristics of a CERT, CSIRT, and SOC.==<br />
<p>So, using strict definitions, a CERT collects and disseminates<br />
security information, typically for the benefit of a country or an<br />
industry. A CSIRT is a cross-functional team that responds to incidents<br />
on behalf of a country or an organization. A SOC is where a country or<br />
organization monitors and defends its network, servers, applications,<br />
and endpoints.</p><br />
<figure><br />
<img src="images/image4.png" alt="table of explanation images/image4" /><br />
<figcaption aria-hidden="true">table of explanation<br />
images/image4</figcaption><br />
</figure><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
==Future==<br />
<p>And the Cyber security problem is only getting bigger. According to a<br />
report published by Accenture, the number of cyber security breaches<br />
increased by 11 percent from 2017 to 2018. The cost of such breaches is<br />
astronomical–about $600 billion worldwide, according to the Economic<br />
Impact of Cybercrime report.</p><br />
<p>https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me</p><br />
<p>Job projections for cybersecurity are staggering. The Bureau of Labor<br />
Statistics in US predicts that careers in the cybersecurity field will<br />
grow by 32% by 2028. That makes cybersecurity one of the top 10<br />
fastest-growing jobs in the country. In the United States alone, jobs<br />
for Information Security Analysts are expected to grow by 15% by<br />
2024.</p><br />
<p>https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</p><br />
<p>Most likely this trend is also similar in other countries.</p><br />
<p>When checking Estonian job portals, there is a constant need for<br />
people for cyber security related positions. Also, linkedin search gives<br />
approximately 30 vacancies immediately. There are banks, logistics<br />
companies, e-shops, and software producers.</p><br />
<p>https://ee.linkedin.com/jobs/cyber-security-jobs?countryRedirected=1&amp;position=1&amp;pageNum=0</p><br />
<p>Trends that affect companies create need for constant cyber security<br />
services. Increasing number of home/remote offices require secure<br />
corporate networks and security of remote devices. One example is from<br />
this year, when sloppy remote desktop set-up paralyzed systems of 17<br />
companies.</p><br />
<p>https://www.aripaev.ee/uudised/2022/04/20/ria-lohakas-kaugtoolaua-seadistus-halvas-martsis-vahemalt-17-juhul-ettevotete-it-susteemid</p><br />
<p>Also, no service can exists without robust infrastructure - servers,<br />
databases, applications. As all previously mentioned devices and<br />
services are at constant scanning and surveillance. So, the breach<br />
detection and immediate action demands 24/7 services. Even if lot of<br />
things could be automated, there is a need for human specialists (at<br />
least, at the moment). Third growing field is also a forensic<br />
investigation, as every attack must be investigated in order to be ready<br />
to repel next attacks. So data recovery and evidence collection is<br />
another important field of work that need skilled and professional<br />
workers.</p><br />
<p>Even, if the specifics of the entity, be it CSIRT, CERT or SOC, are<br />
different, the fundamentals of the work are the same. Professional<br />
knowledge of the networks, operational systems, hardware, scripting, and<br />
several other wider IT related knowledge is needed. As there is no<br />
single way to reach to it, every single person can find one’s strongest<br />
sides and develop them with knowledge of weaker side, in order to know,<br />
when to as for help.</p><br />
<br />
</body><br />
</html></div>Mavaldhttps://wiki.itcollege.ee/index.php?title=Hiring_a_Cyber_Security_Incident_Analyst&diff=142166Hiring a Cyber Security Incident Analyst2022-05-01T14:13:38Z<p>Mavald: /* Certificates */</p>
<hr />
<div>==A Cyber Security Incident Analyst==<br />
<br />
[[File:image1.png|600px|thumb|Job advertisement <ref>"Job Advertisement". Available at https://www.projectpeople.com/jobs/</ref>]]<br />
===Cyber security incident analyst in SOC/CSIRT/CERT===<br />
This article delves into the job title of Cyber Security Incident<br />
Analyst and provides an overview of the acronyms SOC/CSIRT/CERT. A brief<br />
history of the job is discussed here, as well as a possible career path,<br />
education, experience, and other characteristics required for work in<br />
computer security-related organizations. The article also provides a<br />
brief history of SOC/CSIRT/CERT, as well as a comparison of their<br />
differences and similarities.<br />
===Cyber Security Incident Analyst Skill Set===<br />
What skill set is expected from the Cyber Security Incident Analyst? Below written lines are taken from the same job advertisement depicted<br />
on the left side of this article:<br />
As a Security Incident Analyst your responsibilities will include:<br />
<ul><br />
<li>Continuous monitoring of security tooling</li><br />
<li>Performing regular and ad-hoc vulnerability assessments</li><br />
<li>Carrying out ‘spot checks’</li><br />
<li>Reporting vulnerabilities to the PVG via the alerts system</li><br />
<li>Maintaining and documenting logging systems</li><br />
<li>Developing centralized logging, reporting and intelligence<br />
platforms</li><br />
<li>‘Light touch’ penetration testing with open source tooling<br />
(Metasploit)</li><br />
</ul><br />
Knowledge &amp; Experience required:<br />
<ul><br />
<li>SOC, CSIRT or CERT operational environment experience</li><br />
<li>Windows / Linux experience</li><br />
<li>TCP /IP networking protocol knowledge</li><br />
<li>Experience reviewing and analyzing Security Events from various<br />
monitoring and logging sources</li><br />
<li>Experience in website and web application security assessment or<br />
penetration testing</li><br />
<li>Experience of using Metasploit</li><br />
<li>Scripting knowledge using BASH, Python, Perl, Ruby</li><br />
<li>Skills in Host and Network Forensics</li><br />
</ul><br />
As one can see the description of the duties is wide and also the<br />
knowledge and experience that is required is noteworthy. So, where to<br />
start to find out the way to get this kind of knowledge and<br />
expertize.<br />
===Possible career path===<br />
Next part of the paper is aiming to depict a possible ways, how to<br />
develop oneself, and move along the career pathway in cybersecurity<br />
field. Topics of development, education, experience and certification<br />
are covered.<br />
[[File:analystimage2.png|700px|thumb|Career path <ref>"Possible Career Path". Available at https://www.cyberseek.org/pathway.html</ref>]]<br />
<br />
===Junior/Senior===<br />
Start with an entry-level job in IT. Hands-on experience is often the<br />
most effective way to prepare for certification exams. Start<br />
accumulating work experience with an entry-level role as a cybersecurity<br />
analyst. Many cybersecurity professionals start off in more general IT<br />
roles. The skills, practices, and technologies you’ll use as a<br />
cybersecurity professional will continue to evolve along with computer<br />
and network technology. The desire to learn, ability to problem solve,<br />
and attention to detail will serve you well in this field. Other, more<br />
technical skills and technologies to learn include:<ref name="certification">Popular Cyber Security Certificates [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications [Accessed 25 April 2022].</ref><br />
<br />
====SIEM tools (security information and event management)====<br />
Security Information and Event Management (SIEM) is a set of tools<br />
and services offering a holistic view of an organization’s information<br />
security. SIEM works by combining two technologies:<br />
<li>Security information management (SIM), which collects data from log<br />
files for analysis and reports on security threats and events, and</li><br />
<li>security event management (SEM), which conducts real-time system<br />
monitoring, notifies network admins about important issues and<br />
establishes correlations between security events. There are a number of<br />
security information and event management solutions on the market.<br />
ArcSight ESM, IBM QRadar and Splunk are among the most popular. <ref name="SIEM">Application security, SIEM [Online]. Available: https://www.imperva.com/learn/application-security/siem/. [Accessed 27 4 2022].</ref></li><br />
<br />
====Firewalls, Intrusion Detection Systems (IDS), and Intrusion Prevention Systems(IPS)====<br />
Firewalls can be two types, hardware and software firewalls. Software<br />
firewall is a firewall that is installed on a computer or server, and<br />
tasked with network security. It works with a wide variety of other<br />
technology security solutions to provide more robust and cohesive<br />
security for enterprises of all sizes. When a software firewall is<br />
installed on a server, it opens up like an umbrella of protection over<br />
all other computers connected to the network. It is able to monitor both<br />
incoming and outgoing traffic for potential risk or suspicious user<br />
behavior, and also makes setting security policies much easier, faster<br />
and more flexible. Hardware firewall is positioned between the network<br />
and devices, allowing traffic to funnel through the firewall for a close<br />
inspection and analysis. A hardware firewall, a term often<br />
interchangeable with network or next-generation firewall, protects the<br />
network gateways for an enterprise. Hardware firewall is physical<br />
hardware, installed between network elements and connected devices, and<br />
is tasked with filtering traffic for cyber threat to the network or<br />
devices. Filtering out unauthorized or suspicious users based on traffic<br />
analysis is one of the biggest benefits of hardware firewall. <ref name="sangfor">Sangfor, "What is Software Firewall? Difference between Hardware Firewall and Software Firewall, [Online]. Available: https://www.sangfor.com/blog/cybersecurity/what-is-software-firewall-difference-between-hardware-firewall-and-software-firewall [Accessed 26 4 2022].</ref><br />
<br />
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems<br />
(IPS) are both parts of the network infrastructure. IDS/IPS compare<br />
network packets to a cyberthreat database containing known signatures of<br />
cyberattacks — and flag any matching packets. IDS doesn’t alter the<br />
network packets in any way, whereas IPS prevents the packet from<br />
delivery based on the contents of the packet, much like how a firewall<br />
prevents traffic by IP address. <ref name="Varonis">Varonis, "What is Software Firewall? IDS vs. IPS: What is the Difference?, [Online]. Available: https://www.varonis.com/blog/ids-vs-ips [Accessed 26 4 2022].</ref><br />
<br />
====Digital forensics====<br />
<p>Digital forensics is a branch of forensic science that focuses on<br />
identifying, acquiring, processing, analyzing, and reporting on data<br />
stored electronically. Electronic evidence is a component of almost all<br />
criminal activities and digital forensics support is crucial for law<br />
enforcement investigations. Electronic evidence can be collected from a<br />
wide array of sources, such as computers, smartphones, remote storage,<br />
unmanned aerial systems, shipborne equipment, and more.</p><br />
<p>https://www.interpol.int/How-we-work/Innovation/Digital-forensics</p><br />
<p>Investigative process of digital forensics can be divided into<br />
several stages. There are four major stages: preservation, collection,<br />
examination, and analysis.</p><br />
<p>https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.258.7882&amp;rep=rep1&amp;type=pdf</p><br />
<p>All these four stages need a deep understanding of computers,<br />
technology across a broad spectrum, and cybersecurity principles and<br />
practices, a working knowledge of computers, networks, and coding,<br />
in-depth investigative abilities, critical-thinking skills and<br />
analytical talent the ability to effectively communicate and work with a<br />
wide range of people.</p><br />
<p>https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me</p></li><br />
<br />
<br />
<br />
====Mobile device management====<br />
Mobile device management (MDM) is software that allows IT<br />
administrators to control, secure and enforce policies on smartphones,<br />
tablets and other endpoints. Mobile device management software emerged<br />
in the early 2000s as a way to control and secure the personal digital<br />
assistants and smartphones that business workers began to use. The<br />
consumer smartphone boom that started with the launch of the Apple<br />
iPhone in 2007 led to the bring your own device (BYOD) trend, which<br />
fueled further interest in MDM.<br />
<p>https://www.techtarget.com/searchmobilecomputing/definition/mobile-device-management</p></li><br />
<br />
====Data management====<br />
Sometimes the data management is neglected, but this part has a<br />
crucial role when learning for good cyber security practices. Majority<br />
of cyber security programs include a special courses on data management.<br />
Data management is a method of organizing and maintaining data processes<br />
that are required in almost every business operations. The benefits of<br />
data management can be found accounting, statistics, logistics planning<br />
and other disciplines including corporate computing.<br />
<p>https://globaluniversities.in/msc-data-management-cyber-security/</p><br />
Data governance (and management) play a fundamental role in<br />
protecting an organization’s data. Ensuring that the right people have<br />
the right access and that appropriate security controls are in place to<br />
protect each system or service, based on the criticality or sensitivity<br />
of the data sets these contain.</p><br />
<p>https://cybersecurity-magazine.com/the-role-of-data-governance-in-cybersecurity/?utm_source=rss&amp;utm_medium=rss&amp;utm_campaign=the-role-of-data-governance-in-cybersecurity</p></li><br />
<br />
<br />
====Application security development====<br />
Application security describes security measures at the application<br />
level that aim to prevent data or code within the app from being stolen<br />
or hijacked. It encompasses the security considerations that happen<br />
during application development and design, but it also involves systems<br />
and approaches to protect apps after they get deployed. Application<br />
security may include hardware, software, and procedures that identify or<br />
minimize security vulnerabilities.<br />
https://www.vmware.com/topics/glossary/content/application-security.html<br />
Application security development is important to ensure that your<br />
application is free from coding errors and bugs. And controls the risk<br />
and helps safeguard against security vulnerabilities. Application<br />
security development is the process of making applications more secure<br />
by finding and fixing security vulnerabilities. This is often done by<br />
enforcing software security best practices and using application<br />
security testing tools.<br />
<p>https://www.perforce.com/blog/kw/application-security-development-best-practices</p><br />
<br />
====Audit and compliance knowledge====<br />
A cyber security audit is designed to be a comprehensive review and<br />
analysis of your business’s IT infrastructure. It identifies threats and<br />
vulnerabilities, exposing weaknesses and high-risk practices.<br />
Regulations such as the EU GDPR (General Data Protection Regulation) can<br />
impose hefty penalties in the event of a breach that results in<br />
exploited data. A cyber security audit will help mitigate the<br />
consequences of a breach and demonstrate that your organization has<br />
taken the necessary steps to protect client and company data.</p><br />
<p>https://cyforsecure.co.uk/services/cyber-assessment/cyber-security-audit/</p><br />
<p>Cybersecurity compliance is the organizational risk management method<br />
aligned with pre-defined security measures &amp; controls on how data<br />
confidentiality is ensured by its administrational procedures.</p><br />
<p>https://nordlayer.com/blog/cybersecurity-compliance-everything-you-need-to-know/</p><br />
<p>All needed skills are developed through courses and<br />
certification.</p></li><br />
</ul><br />
===Entry-Level Incident Response Positions===<br />
<p>It is not always possible to advance to the position of incident<br />
responder in a straight line. Many professionals advance from entry- to<br />
mid-level positions before becoming a real incident responder or a<br />
member of a computer emergency response team (CERT).<br /><br />
These are some examples:</p><br />
<ul><br />
<li><h5 id="network-administrator">Network administrator</h5><br />
<p>This position’s experience will help potential incident responders<br />
develop networking skills. Attention to detail, as well as the ability<br />
to sift through system configurations, site layouts, and general network<br />
and communication setups, are essential in this field.</p></li><br />
<li><h5 id="system-administrator">System administrator</h5><br />
<p>Another crucial beginning point for an incident responder is to learn<br />
how to manage resources inside your organization as well as user<br />
behavior. Understanding the potential damage that users, inadequate<br />
security setups, and ineffective IT policies and procedures can cause on<br />
your network can provide prospective candidates with insight into the<br />
human component of an incident.</p></li><br />
<li><h5 id="security-administrator">Security administrator</h5><br />
<p>In such a position, basic hacking skills, penetration testing, and<br />
intrusion detection are all learned, which are crucial incident<br />
responder skills when trying to replicate a breach or attack.<br />
Understanding the paths a cybercriminal will take when attempting to<br />
damage or obtain access to a system can greatly simplify the work of<br />
reverse engineering the incident.</p></li><br />
</ul><br />
<p>https://resources.infosecinstitute.com/topic/incident-responder-career-roadmap-entry-level-executive/</p><br />
<h3 id="mid-level-incident-response-positions">Mid-Level Incident<br />
Response Positions</h3><br />
<ul><br />
<li><h5<br />
id="computer-security-incident-response-team-csirt-engineer">Computer<br />
security incident response team (CSIRT) engineer</h5></li><br />
<li><h5 id="cyber-incident-responder">Cyber incident responder</h5></li><br />
<li><h5 id="incident-response-engineer">Incident response<br />
engineer</h5></li><br />
</ul><br />
<p>While each of these positions is different, they generally require<br />
very similar skills and characteristics in a candidate. At this level,<br />
personal characteristics such as problem solving, time management, and<br />
even presentation skills become more crucial as one’s career evolves<br />
into a management-facing role.</p><br />
<p>Technical skills include the ability to identify and minimize threats<br />
while maintaining communication with management and the rest of your<br />
team. Data analysis and evidence gathering become increasingly crucial,<br />
and the circumstances in which your services are deployed get more<br />
serious.</p><br />
<p>Problem-solving skills are crucial at this level of incident<br />
response, and as the stakes rise, so does the pressure in each<br />
situation. At this level, programming abilities are essential since<br />
incident responders may be needed to reverse engineer malicious code or<br />
even create patches for vulnerable network applications or services.</p><br />
<p>https://www.coursera.org/articles/popular-cybersecurity-certifications</p><br />
<h3 id="senior-level-incident-response-positions">Senior-Level Incident<br />
Response Positions</h3><br />
<ul><br />
<li><h5 id="intrusion-detection-specialist">Intrusion detection<br />
specialist:</h5></li><br />
</ul><br />
<p>A CISSP certification might help a potential candidate in preparing<br />
for the profession. The role of an intrusion detection specialist is to<br />
find and stop any unwanted communications.</p><br />
<ul><br />
<li><h5 id="incident-manager">Incident manager:</h5></li><br />
</ul><br />
<p>Expected to plan, oversee, manage, and supervise all incident<br />
response team actions. Is in charge of reporting all current events to<br />
senior management and stakeholders, as well as acting as the technical<br />
lead on active incidents for incident responders. Prepares threat and<br />
impact assessments and reports them known to management.</p><br />
<p>https://www.coursera.org/articles/popular-cybersecurity-certifications</p><br />
<br />
==Certificates== <br />
<ref name="Coursera">Coursera, "10 Popular Cybersecurity Certifications [2022 Updated]," [Online]. Available: https://www.coursera.org/articles/popular-cybersecurity-certifications. [Accessed 30 Apr 2022].</ref><br />
<ref name="NICCS">NICCS, "Cybersecurity Certifications," [Online]. Available: hhttps://niccs.cisa.gov/about-niccs/cybersecurity-certifications. [Accessed 30 Apr 2022].</ref><br />
<br />
<p>https://pauljerimy.com/security-certification-roadmap/<br /><br />
<br />
There is a vast number of different certificates and the road map to<br />
being a certified professional could be very different. One possible<br />
approach is to start with basic certificates from the different branches<br />
of service and move to more specific and demanding focused<br />
certification. Also, some jobs require certain clearances, either from<br />
industry, or from the government. One small selection of different<br />
possible certificates is brought out in following paragraphs.<br />
<br />
Security+ is a CompTIA certification that is considered a basic cert<br />
among cybersecurity professionals. It covers the topics of risk<br />
management and threat assessment.<br />
Network+ is also offered by CompTIA this certification (like the name<br />
implies) focuses on networking infrastructure and operations. It is<br />
considered a foundational certification.<br />
The Certified Information Systems Security Professional (CISSP) is a<br />
more advanced certification designed for cybersecurity professionals<br />
with at least five years of work experience. The certification covers<br />
topics such as architecture, engineering, and management.</p><br />
The Certified Ethical Hacker (CEH) certification is also considered a<br />
more advanced cert because it generally requires that applicants have<br />
multiple years of work experience. The goal of an ethical hacker<br />
certification is to be able to understand how cyber attacks unfold in<br />
order to improve threat assessment and mitigation skills.<ref name="cyberguide">Cybersecurity Guide, "How to become a cybersecurity specialist", [Online]. Available: https://cybersecurityguide.org/careers/security-specialist/. [Accessed 27 April 2022].</ref><br />
This is definitely not all, when one looks for more information, following link could be searched, to get more in depth knowledge about<br />
different possibilities. Hereby, with the help of this matrix a possible taxonomy of different 436 listed certificates in branches are<br />
presented.<br />
<br />
[[File:analystimage5.png|1000px|thumb|Certificate matrix <ref>"Certification roadmap". Available at https://pauljerimy.com/security-certification-roadmap</ref>]]<br />
<br />
=== Communication and Network Security===<br />
Communication and network security covers the ability to secure<br />
communication channels and networks. Topics include secure and converges<br />
protocols, wireless networks, cellular networks, hardware operations<br />
(warranty and redundant power), and third-party connectivity. IP<br />
networking are also included in this domain.<br />
===Identity and Access Management===<br />
The identity and access management domain covers the attacks that<br />
target the human gateway to gain access to data. Other topics include<br />
ways to identify users with rights to access the information and<br />
servers. Identity and access management covers the topics of<br />
applications, Single sign-on authentication, privilege escalation,<br />
Kerberos, rule-based or risk-based access control, proofing and<br />
establishment of identity.<br />
===Security Architecture and Engineering===<br />
The security architecture and engineering domain covers important<br />
topics concerning security engineering plans, designs and principles,<br />
Topics include assessing and mitigating information system<br />
vulnerabilities, fundamental concepts of security models and security<br />
architectures in critical areas like access control. Cloud systems,<br />
cryptography, system infiltrations (ransomware, fault-injection and<br />
more) and virtualized systems are also covered in this domain.<br />
===Asset Security===<br />
The Asset Security domain deals with the issues related to the<br />
collection, storage, maintenance, retention and destruction of data. It<br />
also covers knowledge of different roles regarding data handling (owner,<br />
controller and custodian) as well as data protection methods and data<br />
states. Other topics include resource provision, asset classification<br />
and data lifecycle management.<br />
===Security and Risk Management===<br />
The security and risk management domain covers general on skills<br />
related to the implementation of user awareness programs as well as<br />
security procedures. Emphasis is also placed on risk management<br />
concerning the acquisition of new services, hardware and software<br />
(supply chain). Other skills include social engineering defense<br />
mechanisms.<br />
===Security Assessment and Testing===<br />
The security assessment and testing domain deals with all the<br />
techniques and tools used to find system vulnerabilities, weaknesses and<br />
potential areas of concern not addressed by security procedures and<br />
policies. Attack simulations, vulnerability assessment, compliance<br />
checks, and ethical disclosure also fall under this domain.<br />
===Software Security===<br />
The software development security domain deals with implementing<br />
software-based security protocols within environment for which the IT<br />
professional is responsible. Risk analysis, vulnerability identification<br />
and auditing of source codes are all covered in this subset. Additional<br />
topics include software-designed security, maturity models, development<br />
methodologies, open-source and third-party development security.<br />
===Security operations===<br />
The security operations domain covers topics ranging from<br />
investigations and digital forensic to detection and intrusion<br />
prevention tools, sandboxing and firewalls. Topics include user and<br />
entity behavior analytics, threat intelligence (threat hunting and<br />
threat feeds) log management, artifacts (mobile, computer and network),<br />
machine learning and AI-based tools, penetration testing, and<br />
exploitation development. These for sub-domains are lister here.</p><br />
<li>Forensics</li><br />
<li>Incident Handling</li><br />
<li>Penetration Testing</li><br />
<li>Exploitation</li><br />
<br />
==Education==<br />
<p>The entry level monitoring specialist is hired by Estonian<br />
Information System Authority even if there is no formal IT education,<br />
but readiness to learn and moderate knowledge of different operation<br />
systems is enough to start the career.</p><br />
<p>https://www.cv.ee/en/vacancy/792782/riigi-infosusteemi-amet/seirespetsialist-tule-eesti-kuberruumi-valvuriks</p><br />
<p>Nevertheless, like most other high qualification careers jobs falling<br />
under the cybersecurity specialist category require some form of formal<br />
education. However, since cybersecurity specialist jobs can fall across<br />
a wide spectrum of job descriptions and responsibilities, it is possible<br />
to obtain a specialist job after completing many levels of different<br />
computer related education.</p><br />
<p>If one is looking for a cybersecurity related education, for example<br />
in EU, 137 courses/programs could be found that relate to keyword IT or<br />
cybersecurity.</p><br />
<p>https://www.enisa.europa.eu/topics/cybersecurity-education/education-map/education-courses</p><br />
<p>Also, there is a great amount of discussion, if cuber security<br />
professional should have a degree or would be certification just enough.<br />
One interesting table is produces by Franklin University that compares<br />
benefits and/or drawbacks of each type of credential.</p><br />
<figure><br />
<img src="images/image11.png" alt="Comparison MSc vs certificate" /><br />
<figcaption aria-hidden="true">Comparison MSc vs<br />
certificate</figcaption><br />
</figure><br />
<p>Certifications are generally good for people with little practical<br />
experience because they are known quantities in the industry and can<br />
help you get your foot in the door. They set a minimum knowledge bar.<br />
But some certifications are viewed more favorably than others.<br />
Certifications with renewal requirements are viewed better by hiring<br />
managers, but they also more costly in the long run because of the need<br />
for continuing education. Certifications are also good for showing<br />
in-depth expertise in a specialization within cybersecurity. Depending<br />
on your career goals, it may be advantageous to have a master’s<br />
degree—which shows your breadth of knowledge, critical thinking and<br />
leadership skills—and a certificate—which shows specific skill<br />
competency.</p><br />
<p>https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</p><br />
<p>As IT (Cyber) Security is still a relatively young discipline,<br />
universities and colleges are still figuring out which is the best<br />
approach for their degrees. Study programmes and curricula in Cyber<br />
Security are different. In general, here are the duration of Cyber<br />
Security degrees:</p><br />
<ul><br />
<li><p>Bachelor’s degrees in Cyber Security take 3 or 4 years in most<br />
countries.</p></li><br />
<li><p>Master’s courses in Cyber Security take between 1-2 years to<br />
complete.</p></li><br />
<li><p>PhD programmes in Cyber Security last 3-5 years. Some only take 1<br />
or 2 years, but they are less common.</p><br />
<p>https://www.mastersportal.com/articles/2722/why-you-should-study-a-cyber-security-degree-in-2022.html</p></li><br />
</ul><br />
<p>Generalization could me made that on bachelor level the general<br />
knowledge about the cyber issues are obtained. On master level the<br />
specialization courses are taken and the person can choose more specific<br />
topics to study. It is on master level where strengths of the cyber<br />
specialist can be developed further and up-do date knowledge obtained in<br />
specifics. PhD is serious science and involves teaching, lot of<br />
scientific work and writing for publications.</p><br />
==Salary==<br />
<p>Even if the salary can be very different, compared to the skills and<br />
experience, an generalization can be made. Cyber Security professionals<br />
in CSIRT, and in other entities earn quite well, from the start. First,<br />
some comparison from the United States. The average CSIRT analyst salary<br />
in the USA is $97,500 per year or $50 per hour. Entry level positions<br />
start at $48,875 per year while most experienced workers make up to<br />
$135,373 per year.</p><br />
<p>https://www.talent.com/salary?job=csirt+analyst</p><br />
<p>There are multiple positions you can occupy in this field. They have<br />
in common great salaries and high demand for technical skills, attention<br />
to details, problem-solving mentality, and the ability to analyze risks.<br />
Here are the average annual salaries in the United States, according to<br />
Payscale:</p><br />
<p>https://www.payscale.com/</p><br />
<ul><br />
<li><p>Cryptographer – 100,000 USD</p></li><br />
<li><p>Information Security Officer – 91,000 USD</p></li><br />
<li><p>Security Assessor – 90,000 USD</p></li><br />
<li><p>Security Engineer – 88,000 USD</p></li><br />
<li><p>Penetration Tester – 81,000 USD</p></li><br />
<li><p>Forensics Expert – 71,000 USD</p></li><br />
<li><p>Security Administrator – 65,000 USD</p><br />
<p>https://www.mastersportal.com/articles/2722/why-you-should-study-a-cyber-security-degree-in-2022.html</p><br />
<p>When looking into salaries in Estonia, one can find that there is a<br />
discussion that private sector is taking a toll from the public sector,<br />
and that the salaries in important agencies, as Information System<br />
Authority loose their employees to the better paid positions in private<br />
sector.</p><br />
<p>https://digi.geenius.ee/rubriik/uudis/kui-palju-riigi-jaoks-olulised-it-tootajad-tegelikult-palka-saavad/<br />
https://tehnika.postimees.ee/6887428/riigi-it-tootajate-palgamaarad-kasvasid</p><br />
<p>But there is also a different view that average private sector worker<br />
could be hired as a top specialist in public sector and then the payment<br />
is higher. Nevertheless, it seems that the average payment in cyber<br />
security sector is any way higher that in other parts of the<br />
e-services.</p><br />
<p>https://digi.geenius.ee/rubriik/uudis/5000-eurostest-palkadest-it-tootajad-saavadki-palju-palka/</p></li><br />
</ul><br />
==SOC==<br />
<p>A SOC is a facility where an organization’s network, applications,<br />
and endpoints are monitored and defended. The term was adapted from<br />
network operations centers (NOCs), where large telecommunication or<br />
corporate networks are monitored. When network security became more of a<br />
concern, security teams were formed within the NOCs, and eventually spun<br />
off into larger organizations of their own as the responsibilities of<br />
security teams grew increasingly complex and specialized. The security<br />
staff working in a security operations center are often called the SOC<br />
team.</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<p>Functions of the SOC team include, but are not limited to:</p><br />
<ol type="1"><br />
<li>Taking inventory of resources, to get a better understanding of the<br />
structure they are protecting.</li><br />
<li>Maintanence of the system, by constantly making updates and adding<br />
safeguards.</li><br />
<li>Monitoring the network for abnormalities with special tools.</li><br />
<li>Threat analysis of new attacks and vulnerabilities.</li><br />
<li>Responding to attacks, by acting as “first responders”. The SOC team<br />
will shut down and/or isolate endpoints, deleting files and lowering the<br />
impact as fast as possible.</li><br />
<li>Recovery of system stability and lost data. This may be done using<br />
backups, restarting endpoints or reconfiguring systems.</li><br />
<li>Logging all actions on the system, to be later used for analysis or<br />
forensics after an attack.</li><br />
<li>Investigating the root cause of an attack.</li><br />
<li>Auditing their own actions, to be in line with regulations of the<br />
organization, industry or governing body.</li><br />
</ol><br />
<p>https://www.trellix.com/en-us/security-awareness/operations/what-is-soc.html</p><br />
==CSIRT==<br />
<p>A CSIRT is a group that responds to security incidents when they<br />
occur. Key responsibilities of a CSIRT include:</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<ul><br />
===Creating and maintaining an incident response plan (IRP)===<br />
An incident response plan (IRP) is a set of written instructions for<br />
detecting, responding to and limiting the effects of an information<br />
security event. Incident response plans provide instructions for<br />
responding to many potential scenarios, including data breaches, denial<br />
of service/distributed denial of service attacks, firewall breaches,<br />
virus or malware outbreaks or insider threats. Without an incident<br />
response plan in place, organizations may either not detect the attack<br />
in the first place, or not follow proper protocol to contain the threat<br />
and recover from it when a breach is detected.<br />
<p>https://www.stratacore.com/incidentresponseplan</p></li><br />
===Investigating and analyzing incidents===<br />
CSIRTs are also involved in improvement activities. After major<br />
computer security incidents occur, or when incidents are not handled in<br />
a timely or effective manner, a CSIRT will generally perform a<br />
postmortem of the incident and its response. This postmortem will<br />
identify the strengths and weakness of the response effort. Such reviews<br />
can identify weaknesses and holes in systems, infrastructure defenses,<br />
or policies that allowed the incident to take place. It can also<br />
identify problems with communication channels, interfaces, and<br />
procedures that inhibited the efficient resolution of the reported<br />
problem.<br />
<p>https://www.cisa.gov/uscert/bsi/articles/best-practices/incident-management/defining-computer-security-incident-response-teams</p><br />
<br />
===Managing internal communications and updates during or immediately after incidents occur===<br />
===Communicating with employees, shareholders, customers, and the press about incidents as needed===<br />
<p>There are various services within the CSIRT Services Framework that<br />
address communications, as they relate to security operations and<br />
incident response services. Some of these include Information Security<br />
Incident Coordination, Crisis Management Support, Vulnerability<br />
Disclosure, Situational Awareness Communication, and Awareness Building,<br />
to name a few. Sharing information and communicating with the general<br />
public and/or your constituency is appropriate in many different<br />
scenarios. These can range from proactive communications to reactive<br />
communications. Each scenario may be unique, and careful consideration<br />
should be given to when to release information to the public and what<br />
information should be released.</p><br />
<br />
<p>https://resources.sei.cmu.edu/asset_files/Handbook/2021_002_001_651819.pdf</p><br />
<br />
===Remediating incidents===<br />
<p>Threat remediation is a strong and capable tool for fighting the<br />
cyber security compromises. As the word ‘remedy’ suggests, remediation<br />
process involves the treatment of a security breach. With the<br />
remediation practices, your cyber security team is able to eliminate<br />
suspicious activities and malicious attacks in the form of malware,<br />
ransomware, phishing and such. Even if you ‘kill’ the suspicious<br />
activity, the attackers can remain in your systems. If you want to<br />
contaminate and end the problem for good, your remediation processes<br />
must involve the detection of the cause.</p><br />
<p>https://www.logsign.com/blog/what-is-remediation-in-cyber-security/</p><br />
=== Recommending technology, policy, governance, and training changes after security<br />
incidents===<br />
<p>After all these actions, the SCIRT must contribute to the development<br />
of better policies, practices and has to recommend improvements. They<br />
are not working in the vacuum and their work has to create new and<br />
better standards for cyber security.</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p></li><br />
</ul><br />
==CERT==<br />
<p>The term “computer emergency response team” was coined in 1988. In<br />
response to the Morris worm attack that impacted thousands of servers on<br />
the Internet, DARPA funded the formation of the Computer Emergency<br />
Response Team Coordination Center (CERT-CC) at Carnegie Mellon<br />
University. The goal of CERT-CC was to help protect the internet by<br />
collecting and disseminating information on critical security<br />
vulnerabilities. Several other countries formed similar centers using<br />
the same acronym (despite threats of legal action by Carnegie Mellon for<br />
trademark infringement). Now the term CERT refers to any emergency<br />
response team that deals with cyber threats. Many people use CERT-CC<br />
interchangeably with CSIRT, though the charter of a CERT is information<br />
sharing in order to help other response teams respond to threats against<br />
their own infrastructure.</p><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
<p>In general, the designation of CERT is helpful in applying real-world<br />
solutions to various cybersecurity problems. They may be government<br />
contractors or employees of a major corporation. For example, the U.S.<br />
Computer Emergency Readiness Team (US-CERT) operates under the U.S.<br />
Department of Homeland Security.</p><br />
<p>https://www.techopedia.com/definition/31003/computer-emergency-response-team-cert</p><br />
<p>In Estonia CERT is designated as CERT-EE. It was established in 2006,<br />
as an organization responsible for the management of security incidents<br />
in .ee computer networks. It is also a national contact point for<br />
international co-operation in the field of IT security.</p><br />
<p>https://www.ria.ee/en/cyber-security/cert-ee.html</p><br />
===Difference between SOC/CSIRT/CERT===<br />
<p>How CSIRTs differ from CERTs and SOCs There are overlapping<br />
responsibilities between a community emergency response team (CERT),<br />
computer security incident response team (CSIRT), and security<br />
operations center (SOC). To add to this confusion, frequently, the terms<br />
CERT and CSIRT are used interchangeably, despite the important<br />
differences.</p><br />
<figure><br />
<img src="images/image3.png" alt="Overlapping in images/image3.png" /><br />
<figcaption aria-hidden="true">Overlapping in<br />
images/image3.png</figcaption><br />
</figure><br />
==Understand the primary roles and characteristics of a CERT, CSIRT, and SOC.==<br />
<p>So, using strict definitions, a CERT collects and disseminates<br />
security information, typically for the benefit of a country or an<br />
industry. A CSIRT is a cross-functional team that responds to incidents<br />
on behalf of a country or an organization. A SOC is where a country or<br />
organization monitors and defends its network, servers, applications,<br />
and endpoints.</p><br />
<figure><br />
<img src="images/image4.png" alt="table of explanation images/image4" /><br />
<figcaption aria-hidden="true">table of explanation<br />
images/image4</figcaption><br />
</figure><br />
<p>https://www.exabeam.com/incident-response/csirt/</p><br />
==Future==<br />
<p>And the Cyber security problem is only getting bigger. According to a<br />
report published by Accenture, the number of cyber security breaches<br />
increased by 11 percent from 2017 to 2018. The cost of such breaches is<br />
astronomical–about $600 billion worldwide, according to the Economic<br />
Impact of Cybercrime report.</p><br />
<p>https://www.ecpi.edu/blog/what-is-digital-forensics-in-cybersecurity-is-this-a-good-career-for-me</p><br />
<p>Job projections for cybersecurity are staggering. The Bureau of Labor<br />
Statistics in US predicts that careers in the cybersecurity field will<br />
grow by 32% by 2028. That makes cybersecurity one of the top 10<br />
fastest-growing jobs in the country. In the United States alone, jobs<br />
for Information Security Analysts are expected to grow by 15% by<br />
2024.</p><br />
<p>https://www.franklin.edu/blog/is-a-masters-degree-in-cyber-security-worth-it</p><br />
<p>Most likely this trend is also similar in other countries.</p><br />
<p>When checking Estonian job portals, there is a constant need for<br />
people for cyber security related positions. Also, linkedin search gives<br />
approximately 30 vacancies immediately. There are banks, logistics<br />
companies, e-shops, and software producers.</p><br />
<p>https://ee.linkedin.com/jobs/cyber-security-jobs?countryRedirected=1&amp;position=1&amp;pageNum=0</p><br />
<p>Trends that affect companies create need for constant cyber security<br />
services. Increasing number of home/remote offices require secure<br />
corporate networks and security of remote devices. One example is from<br />
this year, when sloppy remote desktop set-up paralyzed systems of 17<br />
companies.</p><br />
<p>https://www.aripaev.ee/uudised/2022/04/20/ria-lohakas-kaugtoolaua-seadistus-halvas-martsis-vahemalt-17-juhul-ettevotete-it-susteemid</p><br />
<p>Also, no service can exists without robust infrastructure - servers,<br />
databases, applications. As all previously mentioned devices and<br />
services are at constant scanning and surveillance. So, the breach<br />
detection and immediate action demands 24/7 services. Even if lot of<br />
things could be automated, there is a need for human specialists (at<br />
least, at the moment). Third growing field is also a forensic<br />
investigation, as every attack must be investigated in order to be ready<br />
to repel next attacks. So data recovery and evidence collection is<br />
another important field of work that need skilled and professional<br />
workers.</p><br />
<p>Even, if the specifics of the entity, be it CSIRT, CERT or SOC, are<br />
different, the fundamentals of the work are the same. Professional<br />
knowledge of the networks, operational systems, hardware, scripting, and<br />
several other wider IT related knowledge is needed. As there is no<br />
single way to reach to it, every single person can find one’s strongest<br />
sides and develop them with knowledge of weaker side, in order to know,<br />
when to as for help.</p><br />
<br />
</body><br />
</html></div>Mavald