New Encryption Standards Expose Hidden Employment Opportunities
You don’t need to be a programmer to be successful in infosec
A very common belief that has been propagated due to the glorification of hacking is that there is an absolute need for in depth knowledge of programming, nitty-gritty details of memory allocations, registers, sockets etc. to be successful in an InfoSec job. Although there is certainly some truth to it and some infosec jobs require programming knowledge, there are several key areas in Infosec that don’t really need as much programming knowledge. Instead they require understanding of certain protocols and their operations. One such area is “encryption”. Basic knowledge in this area can open the doorway to lucrative jobs in the Cyber-Security field.
Why Encryption is a big deal?
Encryption plays a key role in data security. Data either at rest or in motion needs to be secured from prying eyes. As we have seen in the past, a failure to do so can result in catastrophic outcomes for an organization. It’s also critical for companies to monitor or look deeper(decrypt) at certain transactions for various purposes like protecting company’s intellectual property, trade secrets etc. To perform such tasks companies desperately need folks with a fundamental understanding of encryption. As it turns out, this desperate need is correlated to a willingness to pay well. Good news for those with encryption skills.
How big is the market?
There are several credible reports from reputed publications like Forbes or IDG that has been reporting an acute cyber skill shortage. A significant number of applicants applying in this market are coming from the coding background apply for jobs like malware analysis Which means there are even lesser pool of applicants that are coming with the knowledge of encryption. Along with this add the fact that some of these technologies are rapidly getting evolved whole the existing ones are getting obsolete. Like the growing popularity of Elliptical Curves for key exchanges or the introduction of the new TLS standard TLS 1.3 ensures anyone who has knowledge of these newer technologies would be sought after.
What are some things I should study?
- Protocol Suites for Encryption: There are majorly two ways by which the employee data is protected while in motion. IP Security or IPSec and Virtual Private Network a.k.a VPN tunnels are key for multiple sites of same organizations to share data securely or for remote workers to access company assets. Transport Layer Security is a way where users can securely browse internet websites. Knowledge of such protocols their new versions and forms is a highly desired quality.
- Technology selection: Deployment of encryption, especially encrypting transaction in motion isn’t the easiest of task. Implementer must choose the right strategies for asymmetric and symmetric encryptions, key sizes , integrity check algorithms, authentications etc. Along with this they also need to choose the right vendors that can meet the needs both in terms of encryption and scale requirements.
- Optimizations: Implementing the strongest of encryption (Large key sizes ad complex algorithms) would certainly mean higher security but would result in requirement of tremendous amount of resources. At the same time weaker encryption can make the organizations vulnerable to breaches. Key challenges are to create a balance between the right amount of security that has minimal impact on regular business at optimum cost. Yeah, kind of like having your cake and eating it too.
- Inspection: Creating an encryption strategy is as important as creating a strategy to be able to monitor and, in some cases, inspect such encrypted traffic. Inspecting encrypted traffic with minimal hindrance to end-users is also another job requiring delicate planning.
- Learning the tools: Even though encryption is standardized, the tools that would be needed to deploy successful encryptions aren’t. Which means every vendor has their own set of configurations/settings and ways to implement the encryption protocol suites. This is especially true for IPSec, VPN and newer versions of TLS. Its almost impossible to get it right at the very first time. Which means prior experience in any of the vendor tools in implementing these strategies is a great advantage.
“Nothing in the world is worth having or worth doing unless it means effort, pain, difficulty” - Theodore Roosevelt While encryption as a technology isn’t simple and comes with significant number of its own challenges. However, it is also true that the newer encryption technologies like TLS 1.3 has obfuscated the complexity from the user by ways like reducing the number of supported ciphers, limited backward compatibility etc. Assuming others(especially IPSec) will follow suite, these technologies will increasingly be simpler for new learners to pick up quickly and gain enough knowledge to fill up the immediate skill gap that exists in this area of the already under nourished sector. Then off course there’s a lifetime of on-the-job training to become an encryption ninja.
By the way, October is National Cyber Security Awareness Month - check out other NCASM 2018 posts here.