29 JAN 2019

IT security expert: what he does, professions and certifications

What does an IT security expert do? This question is so general that it is like asking a specialist doctor what they do without knowing their specialization. The right answer is: it depends on the situations. If we talk about the doctor’s specializations, he or she will have more than one, but all doctors have travelled a common path consisting of a background in pharmacology, surgery and psychology of the patient.

These days, the computer security expert is one of the most requested profiles on the cybersecurity market. In this article we will look at the course of studies required to become an expert in computer security, focusing on the certifications necessary for this profession of IT security.

Exactly like a doctor who has various paths of specialization, the same thing can be said about the safety expert who has certain areas of specialization, which are, broadly speaking:

  • infrastructure;
  • defensive;
  • offensive;
  • hunting;
  • forensics.


IT security expert: certifications

Before going into the various areas of specialization and discovering the specific certifications for each of these, it should be made clear that the IT security certifications can be:

  • vendor oriented: prepared and released by a vendor and then oriented towards its products and its philosophy;
  • vendor neutral: not connected to a particular vendor.


Infrastructure information security expert

The security infrastructure is the area related to hardening (increase in the intrinsic safety of the equipment), policies and access control. It is a fundamental discipline to guarantee systems a minimum level of security, even if often it is not enough to deal with the next generation threats.

The valid certifications in this field are:

  • Security + (CompTIA, vendor-neutral);
  • Cisco CCNA, Security (Cisco Systems);
  • RHCSA, RHCE (Red Hat).


Professional in defensive computer security

The defensive aspect relates to the active control of what is happening on the network and the warding off of threats in a passive-aggressive manner. The professionals specialized in these types of threats use tools such as IPS (Intrusion Prevention System) or WAF (Web application firewall), in addition to their own creativity.

These are the certifications for cybersecurity experts, they are often linked to vendors:

  • IWSA, IWSS (Imperva);
  • ATD, NSP (McAfee);
  • SnortCp (Snort, open-source).


Offensive security computing specialist: the white hat hacker

Usually relegated to movies or crime, offensive security discovers new methods and strategies to reduce the risk of compromised networks.

Let’s compare, by way of example, an IT infrastructure to a building, to which we want to prevent unauthorized access. The offensive security expert (or White Hat hacker) looks for any kind of inconsistency, flaw or ambiguous situation to exploit in order to sneak into the building, just as a real attacker would!

In the end, however, instead of stealing sensitive data, the White Hat hacker compiles a detailed report with all the exploited or detected vulnerabilities: a valuable document making it possible to quickly correct any security weakness that emerged from the analysis.

The typical certifications in this field happen far from the vendors, since a great quantity of tools are needed to operate, but they focus on the following methodologies:

  • OSCP (Offensive Security);
  • CEH (Ec-Council);
  • GPEN (GIAC).


The threat hunter and the evolution of cyber attacks

Cyber threats continue to evolve, across national borders and involve ever-new actors. Not only the old (cyber) organized crime or geeks by profession, but an increasing number of governments, companies, organizations and associations are forced to take precautions to avoid compromises and consequent incalculable damage.
The web has become a real theater of war (the USA, Israel, China and Russia consider it to be just that), where there are no flags, borders or rules.

Anyone who uses an online service or has data in the cloud – practically everyone in the west – runs a certain risk of compromise or fraud.

It is not always easy to get an idea of ​​what is really happening and the threat hunter has the difficult task of identifying the source of information technology threats, motivations and the best means of protection. The computer security expert, in this case, often uses either specialized search engines and the so-called OSINTs (Open Source Intelligence: sources of publicly accessible information), allowing the team to better understand the attacker and prepare a proactive response instead of a reactive one.

In this context the most common certifications are:

  • GCFA (GIAC);
  • GCTI (GIAC).


IT Forensics

Last, but not least, is post-incident management (Forensics). When an attack on an infrastructure network is successful, whether it lasted a few seconds or months, once it is eradicated it is necessary to look back (as far as possible) at the attacker’s footsteps, studying the input vector, the behavior and  identifying any backdoors (“service ports” left open by the attacker for a simpler and safer return on the attacked network). This work is crucial and can last months, but it is the only discipline that allows you to have complete visibility of what really happened on the network.

This information is available in the activity logs of the various components of the network (log), but here arises a problem: if our network has been compromised, how can we be sure that these logs have not been modified to cover the traces of the attacker? It sounds like science fiction, but it’s a perfectly plausible scenario, as well as exactly how an infiltrator in the network is supposed to act.

In order to overcome this problem it is necessary to store the network traffic (dump traffic) on a storage device, in order to be able to analyze it later. Clearly it is unrealistic to copy the entire network traffic, but only a few subnets (such as web servers), moreover only of the last few days. By analyzing this data we are able to reconstruct what happened on the network, regardless of how many logs the attacker may have altered.

There are several digital forensics certifications, none related to a particular vendor :

  • CCFP (Isc2);


As the areas described seem quite distinct and segregated, in actual operations, often the computer security expert finds it necessary to apply them all, exactly as what happens in the example of the doctor.

In conclusion, the aspect that makes these times extremely fascinating in the field of IT Security is the high degree of pervasiveness of information technology in our daily lives, with all the challenges that this entails in terms of security, privacy, economic stability and social.


To learn more, you might be interested in:

And if you are an expert on cybersecurity or other IT professions and are looking for new work experience, visit positions open in Consulthink, IT security company in Rome!

Elaborated by Fabio Toscano, Stefano Elia and Lucia D’Adamo