Andrew Martin - Information Security Specialist, CIBC My Career in Information Security Andrew Martin - Information Security Specialist, CIBC

Agenda My background Pre-CIBC experience and qualifications How I got my current job Qualifications obtained at CIBC Current responsibilities Tools Attacks Opportunities and how to be successful

Background Graduated from CTY program in December 2003 before Seneca moved to York Specialized in security Left the country in January 2004, missed my convocation and traveled the South Pacific for 7 months

Pre-CIBC experience and qualifications Worked for a friend’s small company Home / SOHO clients First exposure to security involved removing viruses like Blaster, MyDoom, securing wireless networks, deploying home firewalls. Got a job for Microsoft’s out sourced support company in Sydney, Australia when the Sasser worm hit in April 2004 Contract junior network admin for WSI in 2005 Helped build a small data center Secured their workstations, wireless access points

Pre-CIBC experience and qualifications Certifications A+, Server +, Network + MCP in Windows 2003 administration

How I got my current job While working at WSI I noticed a job posting at CIBC for a desktop support analyst Applied for and got the job Supported CIBC’s trading floor staff including traders, back office staff and some senior executives Spent 8 months in desktop support

How I got my current job Noticed a job opening in security group as an analyst 24/7 support 12 hour rotating shifts 7AM-7PM / 7PM -7AM (terrible!) Monitor Intrusion Detection System (IDS) and other security devices Passion for security, enthusiasm and willingness to learn got me the job Fantastic position to “get your foot in the door”

How I got my current job Excelled at responsibilities as a shift analyst, moved to 9-5 day job after 8 months (more responsibility, same pay ) My boss wanted to have someone working everyday who could find and investigate attacks A new position was created for me Promoted to specialist a few months later Have been in my current role for a little over a year

Qualifications obtained at CIBC MCSA – 2003, specialized in security CCNA CISSP SANS: GCFA Gold (Forensic Analyst) – Mobile Device Forensics GCIH Gold(Incident Handler) – Exploit Kits Revealed – MPack GREM (Reverse Engineering Malware) And my most recent…..

Qualifications obtained at CIBC One of 4 professionals world wide to obtain the SANS GSE (Security Expert) Malware certification GCFA, GCIH, GREM were prerequisites, I needed to write two papers to achieve gold status as well. The prereqs took over a year to complete The testing included: A telephone interview 150 multiple choice questions 2 days (14 hours) of hands on lab assignments at the SANS Las Vegas 2008 conference A written report CIBC covered my expenses and flew me to Vegas to take it!

Current responsibilities Mentor and lead a team of 9 analysts Lead for maintaining CIBC’s Intrusion Detection System Influence direction of CIBC’s information security by applying real world attack experience Research & investigate security threats to CIBC’s infrastructure Reverse engineer malware (viruses) to determine their capability Find, investigate and (sometimes) take down botnets Recover sensitive stolen information Assist corporate security and online fraud investigation groups

Tools From a high level Anti virus Intrusion Detection System Proxy + Web Filtering Log correlation engine

Tools For reverse engineering and malware analysis Linux VMware Wireshark Perl, strings, file, netcat, hex editor Encase (Helix or SANS SIFT) Debugger – ollydbg Disassembler – IDA pro Mandiant red curtain PEiD Various unpackers Memory dumper (lordPE) Sysinterals tools – process explorer, process monitor Etc, etc

Tools Bar none, the MOST important tools for conducting investigations are your “detective hat” and patience You must always answer these questions When was the system attacked? Who attacked the system? (IP address) How was it compromised? What was the purpose or payload of the attack?

Attacks Trends Client side attacks – Workstations are compromised via malicious websites typically via ActiveX controls Server side attacks – Websites are compromised in the tens of thousands by SQL injection, remote file inclusion and stolen or weak passwords

Opportunities and how to be successful To excel in security (technically) you should be at least competent in virtually every area of IT Windows administration ***Unix/Linux administration*** Networking / firewall Development (scripting, programming) Databases / SQL Hardware

Opportunities and how to be successful From Tech Republic’s 2008 salary report (US) Top 30 job functions Security Specialist ranks 8th with avg salary of 85K No I don’t make that much sadly  #1 - Executive Management (CEO SVP VP) $104,767 #2 - System Architect $100,734 #7 - Database Manager $87,261 #8 - Computer Security Specialist $85,699 #22 - Network Analyst $64,217 #30 - Help Desk Support $48,783

Opportunities and how to be successful Information Security is a hot field, but hard to break into Hackers won’t stop hacking, they will only hack more. There is lots of money being made by bad guys Two paths to take 1 – Work for a “Client” ex: CIBC 2 – Work for a “Vendor” ex: Symantec Look for jobs with a company that is governed by regulations. These regulations will stipulate that they must have dedicated security staff and resources Banks, insurance companies, health care providers, government Take a job to “get your foot in the door”

Opportunities and how to be successful “Soft” skills are incredibly valuable Enthusiasm Willingness to learn Public speaking Ability to admit mistakes Ability to work in a team Without strong soft skills your career will be severely limited The most successful people are good at many things

Questions?