What is it like to work in cyber security? We ask some of the members of the team in Symantec. Today, we hear from Candid Wüest, a Principal Threat Researcher based in Switzerland.
How long have you been in this role?
I have been in my current role for about six years, and my 15-year work anniversary in Symantec’s Security Response team is coming up as well.
How did you come to work in the field of cyber security?
It’s kind of a classic tale. While growing up, I was always fascinated by computers and electronics. Having two older brothers, one who is now a computer scientist and one an electronic engineer, helped to drive my curiosity too. But at that time in the ’80s, cyber security wasn’t really a big field, maybe apart from the movie WarGames.
Owning, or more precisely, sharing a Commodore 64 meant that I had to learn some basic English in order to understand why my favorite games didn’t start and what “press play on tape” meant. It also exposed me to the world of computer programs and coding languages like BASIC. It was fun spending night after night copying pages of cryptic programming code from magazines, in the hope of creating my own game at the end. Surprisingly, most of the time, it worked. This is how I started programming, and over the years I kept learning more and more. This passion for computers stayed with me through high school, which was also the time when internet access through dial-up modems started to appear. The world of the digital data highway got me hooked quickly and I spent many nights and expensive phone bills on text-oriented bulletin board systems (BBS) to learn more about it. As you can probably guess by now I was always more a science guy with a flair for math, hence it was kind of clear to me that I wanted to study either math, physics, or computer science. Since my oldest brother was studying computer science at the time, I decided to try it myself, and I haven’t regretted it yet.
So far, this only explains my love of computers, but not why I chose the field of IT security as my profession. There was not a single light-bulb moment that led me to choose this field of work, I think it was more a gradual shift, luring me in one step at a time. I always wanted to understand the inner workings of systems and where their limits lay. This meant trying to understand how someone had bypassed a program and how to prevent such an incident from happening again. Over time, the love for IT security grew stronger in me, and I don’t mean the times when I played the occasional pranks on friends, but the times when I had to actually implement a secure system myself. This became evident when, during my studies, a few friends and I founded a company to create web shops and provide online hosting services. We spent many long nights working on setting up servers and configuring them to our needs. Each of us had their specialty or personal field of interest, like networking, development, or hardware. As you can guess, mine was security. I wanted to secure the network and systems as well as possible. We added honeypot traps, system hardening tools, and triggers to monitor for abnormal user behavior, basically just any alarm whistle we could think of. During that time, I learned a lot about IT security and it was clear to me that I wanted to stay in that field for the future. Although I understood then that cyber security would prove to be an interesting field, little did I know or imagine how big that field would grow over the years. Just before the “Millennium Bug” proclaimed the end of the world, one of my friends came across a job posting for a security role at IBM and knew that this would be a perfect fit for me. And so it happened that I started working as a part-time student at IBM’s Global Security Analyzing Lab (GSAL) in Rüschlikon (in Switzerland), analyzing new vulnerabilities and exploits. After that, I joined Symantec in 2003, where I still am today, fighting cyber threats and learning new things every month.
“I would rather be the dumbest person in the room than the smartest”
What advice would you give to someone who wants a job like yours?
Cyber security is a broad field with many different facets. Each person should check the different options and possibilities to find the role and field that best suits their interests. For these reasons it is difficult to provide specific guidance that fits reverse engineers and developers, as well as data analysts.
However, having said that, there is of course some common advice that can help in all of these fields.
Don’t be intimidated
We all have to start somewhere and nobody is an expert in all fields. As Albert Einstein reportedly said: “The more I learn, the more I realize how much I don’t know.” There is always an opportunity to learn something new. Many organizations have internal trainee programs with mentors and guidance that can help you to get started and develop your skills. There are also good free online classes and books on IT security that you can use to educate yourself. Self-directed learning is a very helpful skill in the IT field. Furthermore, many major cities have IT security meetups or free conferences that you can attend to meet other like-minded people. Don’t be afraid to ask questions. Personally, I would rather be the dumbest person in the room than the smartest, because that way I can learn the most.
“I like this constant challenge and knowing that my work will never get boring”
Keep your curiosity
The field of IT is a fast-moving field; you must be aware of this. When I started, adware was not yet an issue, smartphones couldn’t download any apps, and nobody was talking about cloud or blockchain. New technology developments will happen, for sure, and this means that you must stay abreast of this progress. You should use the many opportunities that are available to develop and increase your skill set. Depending on the field, this can get stressful and not everyone likes this. Some people might be unable to cope with the constant demand to upskill. However, it can also be very stimulating if you get challenged over and over again by new things, and satisfying when you find a new solution to a new problem. For me, I like this constant challenge and knowing that my work will never get boring.
Don’t be afraid to try things out! If it is not for you, then at least you tried, and you know.
Is the course you studied at university relevant to the job you have now?
To some extent, yes. At the time, when I did my Master’s in Computer Science at ETH Switzerland, there were nearly no security-related classes offered. Therefore, I could not directly benefit from a forensics class or reverse engineering track, as there were none. But the fundamental principles that I learned, ranging from the assembly language on a SPARC V8 processor, and different cryptographical functions, to the different flags in a TCP/IP packet, all helped me to understand many of today’s attack concepts. Obviously, the technology has developed further since then, but knowing the background and having learned how to use analytic methodology to solve a problem helps me tremendously in my day job. You do not have to study computer science to do this job, but it certainly does help.
What do you think are three qualities someone who wants to work in a role like yours needs to have?
Curiosity
Curiosity and the motivation to solve problems is a key skill within IT security. Depending on your field, there might not be a simple manual that you can read and apply. So you have to try to find the solution yourself. There is a good chance that others might have had similar issues that you can learn from, but it can sometimes require some power of endurance to find the relevant information in the abyss of the internet.
Analytic thinking
There are many connected parts in modern IT systems, and finding the right one that you need to tweak can take a lot of time. It’s about finding a solution, finding that one line in the log file that reveals the attacker. Therefore, it is very helpful to have good problem-solving skills that make use of analytic thinking with a structured approach. In reality this is the usual combination of creativity, experience, and methodical thinking.
Communication skills
IT security is not only about learning how to break a system or fix a vulnerable program, it is very important that you can articulate problems and discuss possible solutions with different groups. You must be able to put it in perspective and point out the relevance to different interest groups. C-level managers are rarely impressed when you show them that you found a root shell on their domain controller, as this does not mean much to them. They want to know who stole what and how to fix it. Similarly, there is no point bashing the programmer that forgot to do the input validation. This does not help the situation, rather it is best to discuss the solution that can be applied.
@Credits: Medium
