Andrew Martin - Information Security Specialist, CIBC

My Career in Information Security

AgendaMy backgroundPre-CIBC experience and qualificationsHow I got my current jobQualifications obtained at CIBCCurrent responsibilities ToolsAttacks Opportunities and how to be successful

BackgroundGraduated from CTY program in December

2003 before Seneca moved to YorkSpecialized in security Left the country in January 2004, missed my

convocation and traveled the South Pacific for 7 months

Pre-CIBC experience and qualificationsWorked for a friend’s small company

Home / SOHO clientsFirst exposure to security involved removing

viruses like Blaster, MyDoom, securing wireless networks, deploying home firewalls.

Got a job for Microsoft’s out sourced support company in Sydney, Australia when the Sasser worm hit in April 2004

Contract junior network admin for WSI in 2005Helped build a small data centerSecured their workstations, wireless access

points

Pre-CIBC experience and qualificationsCertifications

A+, Server +, Network +MCP in Windows 2003 administration

How I got my current jobWhile working at WSI I noticed a job posting

at CIBC for a desktop support analystApplied for and got the jobSupported CIBC’s trading floor staff

including traders, back office staff and some senior executives

Spent 8 months in desktop support

How I got my current jobNoticed a job opening in security group as an

analyst 24/7 support12 hour rotating shifts7AM-7PM / 7PM -7AM (terrible!)Monitor Intrusion Detection System (IDS) and

other security devicesPassion for security, enthusiasm and

willingness to learn got me the jobFantastic position to “get your foot in the door”

How I got my current jobExcelled at responsibilities as a shift analyst,

moved to 9-5 day job after 8 months (more responsibility, same pay )

My boss wanted to have someone working everyday who could find and investigate attacks

A new position was created for mePromoted to specialist a few months laterHave been in my current role for a little over

a year

Qualifications obtained at CIBCMCSA – 2003, specialized in securityCCNACISSPSANS:

GCFA Gold (Forensic Analyst) – Mobile Device Forensics

GCIH Gold(Incident Handler) – Exploit Kits Revealed – MPack

GREM (Reverse Engineering Malware)And my most recent…..

Qualifications obtained at CIBC One of 4 professionals world wide to obtain the

SANS GSE (Security Expert) Malware certification GCFA, GCIH, GREM were prerequisites, I needed to

write two papers to achieve gold status as well. The prereqs took over a year to complete

The testing included: A telephone interview 150 multiple choice questions 2 days (14 hours) of hands on lab assignments at the

SANS Las Vegas 2008 conference A written report

CIBC covered my expenses and flew me to Vegas to take it!

Current responsibilities Mentor and lead a team of 9 analysts Lead for maintaining CIBC’s Intrusion Detection System Influence direction of CIBC’s information security by

applying real world attack experience Research & investigate security threats to CIBC’s

infrastructure Reverse engineer malware (viruses) to determine their

capability Find, investigate and (sometimes) take down botnets Recover sensitive stolen information Assist corporate security and online fraud investigation

groups

ToolsFrom a high level

Anti virusIntrusion Detection SystemProxy + Web Filtering Log correlation engine

Tools For reverse engineering and malware analysis

Linux VMware Wireshark Perl, strings, file, netcat, hex editor Encase (Helix or SANS SIFT) Debugger – ollydbg Disassembler – IDA pro Mandiant red curtain PEiD Various unpackers Memory dumper (lordPE) Sysinterals tools – process explorer, process monitor Etc, etc

ToolsBar none, the MOST important tools for

conducting investigations are your “detective hat” and patience

You must always answer these questionsWhen was the system attacked?Who attacked the system? (IP address)How was it compromised?What was the purpose or payload of the

attack?

AttacksTrends

Client side attacks – Workstations are compromised via malicious websites typically via ActiveX controls

Server side attacks – Websites are compromised in the tens of thousands by SQL injection, remote file inclusion and stolen or weak passwords

Opportunities and how to be successful

To excel in security (technically) you should be at least competent in virtually every area of ITWindows administration ***Unix/Linux administration***Networking / firewall Development (scripting, programming)Databases / SQLHardware

Opportunities and how to be successful

From Tech Republic’s 2008 salary report (US) Top 30 job functions Security Specialist ranks 8th with avg salary of 85K

No I don’t make that much sadly

#1 - Executive Management (CEO SVP VP) $104,767 #2 - System Architect $100,734 #7 - Database Manager $87,261 #8 - Computer Security Specialist $85,699 #22 - Network Analyst $64,217 #30 - Help Desk Support $48,783

Opportunities and how to be successful

Information Security is a hot field, but hard to break into Hackers won’t stop hacking, they will only hack more.

There is lots of money being made by bad guys Two paths to take

1 – Work for a “Client” ex: CIBC 2 – Work for a “Vendor” ex: Symantec

Look for jobs with a company that is governed by regulations. These regulations will stipulate that they must have dedicated security staff and resources

Banks, insurance companies, health care providers, government

Take a job to “get your foot in the door”

Opportunities and how to be successful

“Soft” skills are incredibly valuableEnthusiasmWillingness to learnPublic speaking Ability to admit mistakesAbility to work in a team

Without strong soft skills your career will be severely limited

The most successful people are good at many things

Questions?