Signs of Triviality

Opinions, mostly my own, on the importance of being and other things.
[homepage]  [blog]  [jschauma@netmeister.org]  [@jschauma]  [RSS]

Infosec Skill Sets

January 19th, 2022

Everybody's career path into and within "Information Security" -- about as broad and ill-defined a field as any -- is different. We all come from different backgrounds with different experiences, and even if our job titles may be the same, in practice we are bound to perform different tasks.[1]

But some skill sets tend to intersect. I've tried to compile a list of primarily technical "core competencies" before, but that only covered so-called "hard skills". "Soft skills", on the other hand, are actually a lot harder, but of course there's overlap here indicating a conceptual difficulty in categorizing "technical" and "non-technical" skills. Overlap, you say? To the Venn Diagramminator!

Trivial Venn diagram showing technical,
non-technical, and 'working in tech' skills comprising
'infosec skills'.

Oh, this is deep. I know. But bear with me. Let's claim that we have certain technical skills as well as some non-technical skills. So far, so obvious. But we also have a weird little skill set comprising that odd area that is a result of just working "in tech". And then there's a bunch of this, that, and the other. But let's zoom in, first on the technical skills:

Zoomed out 'technical' skills, comprised of
intersecting 'Computer Science', 'Programming',
'Operations', and 'Networking'.

That's right: I'm recycling one of my earlier Venn diagrams. Of course there's more to the technical skills, but let's try to very broadly categorize them as Computer Science, Programming, Operations, and Networking. They all overlap and intersect: everybody has their own, personal Venn diagram of those skills, and comprising sets do not imply a requirement to possess all the skills: instead, each circle represents a set of possible skills.

I do think it's important to draw the distinction between e.g., Computer Science and Programming: you absolutely can do either one without the other, but they do complement one another[2]. So let's zoom in once more. Operator, enhance!

Computer Science skills: Very basic algorithmic complexity; Cryptographic primitives; Pointers, recursion, ...; Enough data structures to know that you want a hash, not a list; Conceptual difficulty of e.g., halting problem, traveling salesman, dining philosophers etc.; CAP theorem, BFT, ...

Core concepts in Computer Science that I consider useful and applicable here include:

What Why Example
very basic algorithmic complexity useful to understand: the impact of your programmatic solutions, what level of analysis is feasible; generic problem scope; etc. hash tables are O(1) average; nested loops may lead to O(n^x); how password complexity requirements push brute force cracking; impact of recursion
 
cryptographic primitives and concepts useful to understand protocols, analysis of architectures, development, analysis of compromise impact hash functions and HMACs, symmetric/asymmetric encryption, nonce, signatures, RNGs, block- vs stream cipher, entropy
 
pointers and buffers useful to understand: reference, indirection, memory management, buffer overflows strlcat(3) vs strncat(3), sizeof != strlen, pointer arithmetic (p[x] == *(p + x)
 
Enough data structures to know that you want a hash, not a list useful when coding up even simple tools to process some data see above re O(1) lookups
 
Conceptual difficulty of common problems in CS useful to assess feasibility of proposed solutions halting problem, traveling salesman, dining philosophers, ...

 

Does everybody who works in infosec need a background in Computer Science? No, but it helps in most cases. Can you learn these concepts without formally studying Computer Science? Of course, but that doesn't change anything about it being Computer Science. Are there many more areas that could or arguably should be included here? Sure, why not! Is posing questions and then answering them a particularly annoying style of trying to make a point? Also yes.

But then what kind of skills do we generally see under programming? Beep, beep, bzzzt, re-zoom, enhance:

Programming skills: Automation of repetitive
tasks; Code reading; Core concepts and paradigms;
Classes of code vulnerabilities; Proof of Concept
development and validation; ...

I do distinguish between programming and software engineering, and here I merely list some of the programming skills that are useful to the majority of cybersecurity practitioners, including, but not limited to:

  • Automation of repetitive tasks
  • Code reading
  • Core concepts and paradigms
  • Classes of code vulnerabilities
  • Proof of Concept development and validation

Most of us are processing data in some fashion; we have to be able to read code written by others, e.g., internally for product security reviews or externally to understand a vulnerability or proof of concept exploit etc.; many of us also need to verify exploits and vulnerabilities, and being able to stand up a proof of concept ourselves is obviously helpful. Comparing these to the CS skills hopefully illustrates why those would be useful.

But reading, writing, and running programs is only part of the story. Even if we don't actually operate our own infrastructure ourselves, understanding how it works has significant impact on our ability to protect it:

Operations: HTTP Services, load balancers,
proxies; Configuration Management; Patch Management;
Filesystem, CPU, memory load and impact; Multiuser
fundamentals; ...

I decided to somewhat arbitrarily single out the following areas as examples:

What Why Example
HTTP Services, load balancers, proxies How traffic enters into and travels through your network defines your attack surface. HTTP protocols supported by your edge proxies, TLS termination
 
Configuration Management Useful to understand e.g., how to deploy configuration changes across your fleet, whether you are reactive or prescriptive, what aspects you control centrally versus managed by service owners. Chef, Puppet, Ansible, but also Terraform and other IaaS tools
 
Patch management Overlaps with config management, but more specifically helps you understand the process of how you get your software stack updated in a timely manner. Roll forward, container / image updates, package and repository manifests, faked out dependencies, software inventory, ...
 
Filesystem, CPU, memory load Important to understand how the tools you use (e.g., reporting agents) impact normal system operations. Crowdstrike, Nessus, OSQuery bringing a box to a halt; thrashing the disks during filesystem traversal
 
Multiuser fundamentals Virtually every attack path requires privilege escalation and lateral movement. Unix permissions, user authentication, service accounts, sandboxes

 

All of these bits are highly relevant in your understanding of deploying defensive measures, yet have really nothing (directly) to do with, say, Computer Science or programming as such. It all kind of falls into the general area of computering, but as you can tell, it's still missing another section: Networking:

Networking: Layer 2 vs. Layer 3; Internet
infrastructure; Peering, routing, DNS; IPSec, VPNs,
Cloud equivalents; ...

Sure, you could well argue that all of this falls into Operations, but I feel this, ahem, operates on a different layer, if you know what I mean. Not everybody needs to be able to read pcap files -- though that certainly helps and in some cases is a requirement -- but understanding the general networking concepts such as Layer 2 vs. Layer 3, peering, routing, the DNS, VPNs, and even the global internet structure in the context of e.g., perimeter defenses remains a core capability.

But all that is technical, those supposed "hard" skills I listed in a bit more detail already. These diagrams ought to merely help you better visualize the overlap of the skills, how neither set is a hard requirement for everybody, and the variety of areas of expertise and specialization in the field.

All of the above, however, isn't worth much unless you combine it with the non-technical aspects. But hey, what are those anyway? Here, let's zoom out a bit... pfffffft, bzzzzt, beep, bup, beep:

Non-technical skills: Clear writing, reading
comprehension, business, ethics

"Waaaaait a second. I see what you're doing here! You're trying to tell me I should have stayed in school! Also, how can 'Business' intersect with 'Ethics', huh?"

Ok, you got me. Don't do drugs, stay in school. Reading and writing is actually important, and I do mean beyond a middle school level. That little circle there, the "Clear Writing & Reading Comprehension", that's exactly those "excellent communications skills" every job posting lists but nobody ever interviews or tests you on. Let's take a closer look:

Reading/Writing: Reading an entire email, not
just the first question; Writing a comprehensive,
detailed report or brief for a given target audience;
Presenting to different audiences; Understanding and
condensing a technical spec or RFC;  Be able to
communicate via chat; ...

The area where information security can be most effective, the area where we spend most of our time on (or should, anyway), consists of communicating with other human beings. It's the people, stupid. That includes being able to:

  • Reading an entire email, not just the first question. (I know. Most difficult requirement first.)
  • Writing a comprehensive, detailed report or brief for a given target audience.
  • Presenting to different audiences.
  • Understanding and condensing a technical spec or RFC.
  • Be able to communicate effectively via chat.

All of this is clearly not infosec-specific, so let's take a peek at what we find in the intersecting Business category:

Business: Cost / Benefit Analysis; Risk
Assessment; Risk Management; Fear, loathing, and
appreciation of lawyers; Speaking to suits;
...

That's right: we're talking to the suits now! And that actually is an entirely separate skill. We also need to understand the business model, goals, and priorities to allow us to perform relevant cost-benefit analysis within the threat model. And if this language starts to put you to sleep, just wait until I break out "Risk Assessment" and "Risk Management"... le yawn, indeed, but also rather necessary. And who knows, maybe you actually enjoy this part! (It's ok to admit it.)

Another part of "the business" are your friends, the lawyers. No, seriously, you want to be buddies with your legal representatives and know how to speak to them, as well as how to translate what they tell you into a human language. But this whole area then quickly slips into our next circle -- (enhance!) -- Ethics:

Ethics: Empathy; Grasping that legal != ethical;
Being an actual fucking human being; Act in the public
interest; Fight for the users;

Huh boy, that's a tricky one. People with formal education and possibly multiple degrees in, say, Computer Science, often times never took any classes that covered ethics in much detail, yet it's such an important part of your job, any job!

The distinction between "legal" and "ethical" is a critical one, especially when talking to the above mentioned lawyers and suits. I've talked about Ethical Obligations in Internet Operations before, where I arrived at two fundamental maxims:

  • In part due to our privileged position and understanding in our area of expertise, we are obligated to act in the public interest.
  • It is up to us to fight for our users.

These two points may at times conflict with business interests or expose us to certain types of risk. Alas, such is the cost of being a decent human being on the internet. We need more of those.

The intersections of these various "non-technical" and "technical" skills from above further give you an idea of the variety of career paths. Every time you get to add a skill from one set to your private Venn diagram, you are boosting all the others.

But we're not done yet! Almost all of the above is hardly infosec specific. Sure, we talked a little bit about risk, and of course you can focus all your technical skills on, say, exploit development. But still, all of this looks very generic for just about any tech career. Which, of course, is no coincidence at all: we're really not all that special.

Like everybody else we work with, we require a couple of additional skills that don't quite fit into either the "technical" or "non-technical" sets, things many of us just pick up on the job, but which nevertheless ought to count as a skill set:

Working in Tech: Be able to efficiently use
e.g.,: revision control system; ticketing system;
docs, sheets, presentation; Venn
diagrams!

Seriously, being able to effectively use tools such as revision control (other than git wtf; cd ..; rm -fr dir; git clone), ticketing systems, docs, sheets, presentations, and, clearly most importantly: Venn diagrams -- all that is another set of skills not formally taught.

...but... still not infosec-specific. So what's the deal? Is there anything that can turn this varied mix of possible skills you may or may not have into information security specific competencies?

Well, that's what I reserved the annoyingly wishy-washy This, that, and the other category for. One last time -- enhance!

Hacker Mindset: I wonder what would happen if...;
Oh, really, nobody would ever...?; Social Engineering;
Hold my beer.

See, that's the part where you take this whole assortment of skills from each bucket and combine it with any other unique competencies you bring as well as your particular mindset. And for infosec, that's the Hacker Mindset, the thing in your head that makes you look at door and immediately identify seven different ways that the lock can be circumvented, the part that sees the OSINT potential in any celebrity persona survey, and the part that makes you say: "I wonder what would happen if...", "Oh, really, nobody would ever...?", and, yes, occasionally, "Hold my beer."

All of that together... doesn't give you a minimum skill set, a list of things you should check job applicants against, a yardstick to measure your perceived level of seniority by. What it does give you, hopefully: an idea of the varied backgrounds in any career path:

Your Red Teamer may skew more heavily on the intersection of the hacker mindset and programming, but still has to write effective debriefs; your Blue Teamer might combine operations and networking with the skills to quickly grok new tech standards; your SIEM analyst perhaps brings more from the business side to the table, and so on.

Just don't let anybody gatekeep you out of your career path. Whatever areas you currently do not have covered are options to explore. There's always ample opportunity to zoom in and out.[3]

January 19th, 2022


Footnotes:

[1.] This is quite similar to "Operations", which I've discussed before. It won't surprise you to know that I've worn those two hats -- "System Administrator" and "Information Security Specialist" (sure, why not) -- interchangeably throughout my career.

[2.] Although having a degree in Computer Science does not imply that you are good at programming, for example.

[3.] The full mess of conjoined triangles Venn diagrams can be zoomed at scale here.


Links:


Previous: [WHOIS: Fragile, unparseable, obsolete... and universally relied upon]  -- Next: [Basic Network Troubleshooting]
[homepage]  [blog]  [jschauma@netmeister.org]  [@jschauma]  [RSS]