Information security systems analysts: An overview
IT security systems analysts conceptualize, design and implement security attacks against a computer system to identify a system's vulnerabilities and strengthen them. They can also decode and identify malware, computer viruses, and worms. IT security systems analysts need a solid understanding of computer science, information technology and software programming, and the ability to think creatively.
According to the Bureau of Labor Statistics (BLS), information security analysts usually need a bachelor's degree in computer science or a related subject (BLS.gov/ooh, 2012). Security analysts may be required to have earned an MBA in information systems. An MBA generally requires two years of study beyond a bachelor's degree and can prepare analysts for managing other security teams or security departments, as well as preparing the security analyst for working with a company's management.
In addition to earning a degree in a related field, the BLS also notes that information security analysts may be required to have prior work experience in a related occupation or field, such as computer systems analysis, database administration, or software programming.
While the job description of an information security analyst can change from employer to employer, information security analysts can generally expect to do the following:
- Implement firewalls across an entire network
- Deconstruct worms and viruses
- Monitor traffic for malicious activity
- Create "honeypot" defenses for attackers
- Perform a penetration test on their own security measures
A number of certifications are available to IT security analysts to display their varied security skills:
- EC-Council: Ethical Hacker Certification
- TruSecure: TICSA Certification: Information Security Basics
- CompTIA: Security+ Certification
- (ISC)2: Certified Information Systems Security Professional
Many of the certifications for information security analysts are vendor-neutral, meaning they are not offered by a software provider or that they focus on software from a specific vendor, and none of the certifications require state, agency or government approval. Similar to locksmiths and safecrackers, there is no difference in the skills or tools of a professional information security analyst and a criminal hacker, only how they choose to use their skills (Forbes.com, 2012).
Skills of a security systems analyst
Since the job of an IT security systems analyst is to outthink hackers, this can involve anticipating where an attack might come from and how the attack might be carried out. Sometimes this involves breaking into the analyst's own network. As a result, the BLS notes that information security analysts may benefit from the following skills (BLS.gov/ooh, 2012):
- Good problem-solving skills
- Excellent attention to detail
- Strong organization skills
- Solid analytical skills
- Ability to work well as part of a team
Additionally, information security analysts should have the mindset of a hacker, continually testing boundaries and limitations (Forbes.com, 2012). Because those who may attempt to break a network's security will not obey rules and industry norms, analysts who want to protect data should think like someone who wants to steal data.
This might require analysts to dupe their own employees with viruses they created in order to test the firewalls of a network and even leverage social engineering to get their co-workers to break their own security (WSJ.com, 2013). In essence, it is vital for an information security analyst to possess a) the knowledge of how to cheat at IT security, and b) the willingness to do so.
"Hacking is cheating, and it's how we get better at security," wrote security technologist Bruce Shneier (Schneier, 2006). "We need these people in security, and we need them on our side. Criminals are always trying to figure out how to break security systems. Field a new system -- an ATM, an online banking system, a gambling machine -- and criminals will try to make an illegal profit off it. They'll figure it out eventually, because some hackers are also criminals. But if we have hackers working for us, they'll figure it out first -- and then we can defend ourselves."
Tools of the security systems analyst
The tools of an IT security systems analyst are the same as those used by hackers, so it stands to reason that security analysts can expect to use some of the following hacker tools while preparing their company's security:
- Network vulnerability scanners such as Nmap and GFI LanGuard
o These software tools look for unrestricted ports, information on usernames, passwords and group info. When used maliciously, these are called "worms."
- Network analyzer software such as OmniPeek and Aircrack-ng
o This software allows a security analyst to monitor traffic across an entire network and spot potential denial of service (DoS) attacks or traffic bottlenecks.
- Exploit software such as Metasploit and Milw0rm
o Exploit software looks for bugs in the code that could be exploited by an attacker to gain privileged data or facilitate a DoS attack.
- Database security software such as AppDetectivePro and SQLPing3
o This software locates any and all databases across an entire network and monitors the activity of each database, similar to a network analyzer, while also checking for potential exploits.
Information security analysts may also need to understand the types of vulnerabilities and weapons of attack, such as DoS attacks, SQL injections, and man-in-the-middle attacks. Man-in-the-middle attacks breach security on information after it leaves a user's computer and before it reaches the network, often as it passes through an email system or a website. As such, information security analysts may create and disassemble computer viruses, malware, spyware, computer worms, and Trojans. Security analysts may also be expected to know various programming languages such as C, Java, and SQL, among others.
Employment opportunities for security systems analysts
IT security analysts can be employed under many job titles, including:
- Security Managers
- Information Security Analysts
- Systems Security Analysts
- Penetration Testers
- Code Breakers
- Data Security Engineer
- Security Engineer
- Cyber Security Analysts
The Bureau of Labor Statistics reports that, as of May 2012, information security analysts earned a national median annual wage of $86,170, with the highest and lowest 10 percent earning $135,600 and $49,960, respectively (BLS.gov/oes, 2013).
According to the BLS, employment for information security analysts is expected to increase 22 percent from 2010 to 2020 (BLS.gov/ooh, 2012). Because cyber attacks have grown both in frequency and sophistication, as recent data mining attacks on major news outlets and search engines make clear, organizations are expected to increase their staff of security analysts to guard against these new threats. Two primary employers of information security analysts are projected to be the federal government and the health care industry, as analysts will be needed to protect the nation's critical information technology systems and to safeguard patient records (BLS.gov/ooh, 2012).
EC-Council, Courses: Certified Ethical Hacker, 2013, http://www.eccouncil.org/courses/certified_ethical_hacker.aspx
Forbes, Exploding The Myth Of The 'Ethical Hacker,'" Conrad Constantine and Dominique Karg, http://www.forbes.com/sites/parmyolson/2012/07/31/exploding-the-myth-of-the-ethical-hacker/
Bureau of Labor Statistics, U.S. Department of Labor, Occupational Outlook Handbook, 2012-13 Edition, Information Security Analysts, Web Developers, and Computer Network Architects, March 29, 2012, http://www.bls.gov/ooh/computer-and-information-technology/information-security-analysts-web-developers-and-computer-network-architects.htm
Bureau of Labor Statistics, U.S. Department of Labor, Occupational Employment Statistics: Occupational Employment and Wages, May 2012, Information Security Analysts, March 29, 2013, http://www.bls.gov/oes/current/oes151122.htm
The Wall Street Journal, "You Won't Believe How Adorable This Kitty Is! Click for More!," Geoffrey A. Fowler, March 26, 2013, http://online.wsj.com/article/SB10001424127887324373204578373011392662962.html
Schneier on Security, "What is a Hacker?," Bruce Schneier [blog], September 14, 2006, http://www.schneier.com/blog/archives/2006/09/what_is_a_hacke.html