Gan 1

Stephanie Gan
Brian Robertson
CST 300
September 22, 2015
Hacker Repellent: The Golden Fields of Information Security

When people think of security, they tend to think of large multi-lock safes, prisons, home

security companies like ADT, and banks under heavy surveillance. Physical security isnt the

only form of security that is prevalent in todays world. As Canavan (2001) states, nobody would

have fathomed hiring an entire organization to protect their digital data in the 1980s, as prior to

then, most computers were not part of a network. In 1988, that all changed with Robert Tappan

Morris invention which was aptly named the Morris Worm. Its purpose was to explore and

infect as many computers as possible. It aimed to create a measure of how vast the internet was

in size. However, outcomes can sometimes vary from intentions in a disastrous way. Even if a

system in question was already infected with the worm, it replicated itself anyway, making the

Morris Worm responsible for slowing computers down to the point of no operation (Seltzer,

2013). Morris was both lucky and convenient in the timing of his idea. Although Morris had

originally intended the worm to be harmless, if it were unleashed today, the backlash would be

phenomenal. He would probably have to seek asylum somewhere in space because he wouldnt

be welcome here on Earth.

Hacking goes back much further than Morris. In the late 1950s, driven to make free

phone calls, some people would spend hours studying how calls were routed. Now known as

phone phreaks, they desired to make free phone calls. Phreaks enjoyed circumventing the

telephone system by reverse engineering the tone system with tone generators called blueboxes.

Some delved into wiretapping while more reasonable phreaks snuck into phone company

buildings at night to hook up their own phone lines to make telephone calls under the radar
 Gan 2

(Lapley, n.d.). These early hackers are the reason information security exists as it does today. The

Target data breach occurred over a year ago and has racked up enormous losses. With the

average repercussion of a data breach leveling at around $5.4 million per business, its no

question that companies are developing a focus on information security (Oberman, 2014).

Protecting peoples data and information from misuse has never been a more relevant and

pressing goal. As the pool of companies that are going paperless increases, the demand for digital

security grows. This ever-changing industry would be a fascinating one to be a part of.

It is for good reason that a rising amount of companies solely dedicated to information

security have popped up over the last two decades. Sizeable companies like Google and

Nintendo have entire departments whose goal it is to keep their consumers data out of harms

way. Hospitals like Kaiser Permanente hire people specifically to maintain the security of all of

their paperless files. Universities can have departments for information security, though many

opt to provide training for the users of their online resources to protect themselves. Acquainted

with a new system, even the most careful person in the world could benefit from some basic

security training. Furthermore, vast majority of security professionals believe that their

organizations security systems dont protect their data nearly as effectively as it should

(Oberman, 2014). Firms that are devoted to information security might provide training all

across the board for an entire business. Instead of existing as a section of a bigger business, these

independent companies have been springing up to provide digital security as their main product.

A couple of the big names today include Tetrad Digital Integrity (TDI), FireEye, Lancope, and

AlienVault, all featuring the common goal of threat detection and risk assessment. Individuals

working at an information security company can hold a multitude of different titles. Several of

the ones encountered include security analysts, CISO (chief information security officer),
 Gan 3

security consultants, and security systems administrator. Security analysts are responsible for the

safety of data and the analysis of implemented security measures. The job usually consists of

creating plans of action for maintaining security as well as bolstering awareness. Chief

information security officers are executives, responsible for maintaining the company vision and

the maturity level of the security team. They have the job of addressing the key stakeholders

when it comes to the companys risk profile, which can be risky business in itself (Burgess,

2014). Security consultants, somewhat similar to security analysts, explore code until they find a

vulnerability. They can act as the devils advocate for a companys digital safety and poke holes

in the security systems in place, if there are any. Administrators of security systems have

responsibilities that range from installing to maintaining to troubleshooting. In the end, it all

comes down to advising others on how to prevent, detect, and manage threats while

implementing systems to keep threat management in check. Every information security company

has their own unique product and service to offer.

FireEye, founded in 2004, has its headquarters in Milpitas, California. They offer

products to detect, analyze, and block incoming threats to mobile devices, networks, email, and

data centers. FireEye also offers subscription-based services and consulting, as many information

security companies do. They wouldnt have the success they have today without their employee

base that reaches upwards of over a thousand people, nor would they be here without their

founder, Ashar Aziz. Aziz was first an engineer at Sun Microsystems. He then went on to create

Terraspring, Inc., a data center automation and virtualization company, before he founded

FireEye. Dave DeWalt was previously the CEO and president of McAfee before working

alongside Aziz. The president of the company is Kevin Mandia, who had previously established

his own security firm named Mandiant back in 2004 (Hesseldahl, 2013). Mandiant was then sold
 Gan 4

off to FireEye where Mandia works today. A few more big names in the company include Grady

Summers, senior vice president and chief technology officer; Kara Wilson, senior vice president

and chief marketing officer; and Julie Cullivan, senior vice president of business operations and

chief information officer. Alongside their hundreds of employees and teammates, this group of

people are known for two of FireEyes main products: the central management system (CMS)

and threat analytics platform (TAP). The CMS is a hub that manages FireEyes multiple security

products. It allows all of the security systems to communicate and share data with each other,

allowing for better response time and threat identification (Central Management, 2015). This

type of product is important for overall security in the event that a malicious site attacks through

different means. Fire Eye's TAP sorts through data that streams in as this is how cyber-attacks are

delivered. The program is intended to expose suspicious patterns and identify big attacks. By

acknowledging and prioritizing truly malicious behavior, TAP helps optimize the response time

and efficacy of the security team (Threat Analytics Platform, 2015). FireEye tries to cover all

of its bases when it comes to data security. They even offer a service titled forensics, which is

malware analysis after the digital calamity has settled. They have a solution for most methods by

which information can flow in and out of networks and systems.

As a company that is responsible for countering extremely variable and potentially

harmful situations, how the public responds to FireEye plays a heavy role in its business. Despite

its stock values falling in 2014, the company maintains a healthy relationship with the public and

continues to earn more and more revenue (McGrath, 2015). The security companys ratings by

their own employees on GlassDoor also see a positive trend. A favorable reputation signifies a

lot, and just one bug gone unchecked has the potential to cause waves. In SC Magazine, FireEye

was compared unfavorablely to Kaspersky for their response, or lack thereof, to a bug in their
 Gan 5

products (Ring, 2015). Being a more recent event, its difficult to say what effects their low

response time will have on their overall public standing. Still, the company has been known to be

a reliable malware buster and will most likely maintain that influence in the tech world.

Information security is a bustling field that I wouldnt mind being a part of, though there

are two other fields that yield just as much interest. Mobile app design and video game

development can be two incredibly profitable lines of work. The opportunity to flex some

creative muscles while earning money would be a dream come true. To obtain work in the

information security field, I would study for my certifications. It would be ideal to have them

before entering the workforce, though the goal is to earn them before my graduation from

CSUMB. CompTIA's Security+ certification is the first one on my list. As an entry level

certification, it demonstrates the acquisition of broad knowledge and expertise in security-related

practices (Tittel, 2015). As of today, it is a single exam that costs about $300. There are no pre-

requisites, but the exam takers skills and knowledgebase must be up to par. Next is the CEH

certification (Certified Ethical Hacker), and it is offered by the International Council of

Electronic Commerce Consultant. The CEH certification is a badge that says the holder knows

how to hack into systems, just like the malicious neighbor across the street that reads your emails

every day at four in the morning. The difference between the CEH certification holder and the

nosy neighbor is that the neighbor isnt breaking into your email account for the sole purpose of

discovering and reporting a problem in your security system.

As Tittel states:

CEH credential holders possess skills and knowledge on hacking practices in areas such

as footprinting and reconnaissance, scanning networks, enumeration, system hacking,

Trojans, worms and viruses, sniffers, denial of service attacks, social engineering, session
 Gan 6

hijacking, hacking web servers, wireless networks and web applications, SQL injection,

cryptography, penetration testing, evading IDS, firewalls and honeypots and more. (2015)

The examination costs about $500 and unlike CompTIAs Security+ certification, it

requires verified study and experience beforehand. A training course is required, but it can be

replaced by self-study. However, self-study incurs a $100 fee as well as two years of work

experience (Tittel, 2015). This particular certification exam would have to wait until after

graduation. The CEH certification calls for continuing education, and quite similar to the

California real estate license, it consists of 120 credits every three years with at least 20 credits

earned every year. Unlike real estate, technology changes at a rapid pace, so this required

education is fitting.

Mobile app development and video game design necessitate similar preparation. A

completed portfolio is an invaluable asset. I would start working on my portfolio early on in the

program and plan to finish it around the graduation time. The Unity game engine is a beautiful

piece of software that Ill learn inside and out as well. Maya is another resource thats valuable to

have in a game developers belt, so that program is on the list as well.

All in all, to reach either one of those prospective dream jobs, I will need to meet people

who are in my desired field. Who you know matters a great deal, and I intend to give myself a

head start on knowing the big names, especially in game development. My real estate training

will lend itself very well to my future endeavors in this area. Inspiring somebody to talk about

themselves and exchange business cards is a lot easier than teaching them that proof of funds are

required to buy a home. Graduation on-time and in good standing is also part of the plan. The

local community college offers a wide variety of computer science and design courses. If theres

something that I feel Im lacking, Ill take courses there. As for information security specifically,
 Gan 7

Ill be looking more into certification and participating in networking events to scout out who

could be hiring and who would keep me top of mind. Game design and app development require

a solid portfolio in my corner, and graduation is required in both branches of my plan. Ill apply

for internships before my stay at CSUMB is over as well, and if my plan changes along the way,

I can easily move things around to accommodate.

The security of our personal data has become a pressing issue, but it isnt without

solutions. Whether its due to our carelessness with passwords or a hackers unfortunate version

of fun, the information security field is booming. At any given large company, there will most

likely be a dedicated person, department, or outside business devoted to keeping their

information safe. FireEye is that type of company, and it is only one of a numerous other

companies within the information security field. There are also other fields that Im interested in,

namely game design and mobile app development. Ive learned that going down any of these

paths takes a lot of dedication and perseverance, and Ill work as hard as I can to achieve my

goals.
 Gan 8

References

Burgess, C. (2014, June 23). What Is the Role of Todays CISOs? 7 Questions Business Leaders

Are Asking. Retrieved September 12, 2015, from https://securityintelligence.com/what-

is-the-role-of-todays-cisos-7-questions-business-leaders-are-asking/

Canavan, J. (2001). Fundamentals of Network Security. London: Artech House.

Central Management. (2015). Retrieved September 12, 2015, from

https://www.fireeye.com/products/central-management.html

Hesseldahl, A. (2013, April 3). Kevin Mandia to Talk About Fighting Hackers at

Code/Enterprise. Retrieved September 12, 2015, from

http://recode.net/2015/04/03/kevin-mandia-to-talk-about-fighting-hackers-at-

codeenterprise

Lapley, P. (n.d.). Retrieved September 13, 2015, from

http://www.historyofphonephreaking.org/faq.php

McGrath, M. (2015, February 11). FireEye Pops After Losing Less Money Than Expected.

Retrieved September 8, 2015, from

http://www.forbes.com/sites/maggiemcgrath/2015/02/11/fireeye-pops-after-losing-less-

money-than-expected

Oberman, E. (2014, July 2). A Lack of Communication on Cyber Security Will Cost Your

Business Big. Retrieved September 21, 2015, from

http://www.entrepreneur.com/article/235318

Ring, T. (2015, September 8). War of words as researchers reveal Kaspersky and FireEye zero-

days. Retrieved September 8, 2015, from http://www.scmagazine.com/war-of-words-as-

researchers-reveal-kaspersky-and-fireeye-zero-days/article/437228
 Gan 9

Seltzer, L. (2013, November 2). The Morris Worm: Internet malware turns 25. Retrieved

September 12, 2015, from http://www.zdnet.com/article/the-morris-worm-internet-

malware-turns-25/

Threat Analytics Platform. (2015). Retrieved September 13, 2015, from

https://www.fireeye.com/products/threat-analytics-platform.html

Tittel, E. (2015, September 3). Best Information Security Certifications for 2016. Retrieved

September 8, 2015, from http://www.tomsitpro.com/articles/information-security-

certifications,2-205.html