Not sure if I am ignorant or else. Would appreciate some enlightenment.
Recently I was approached by somebody from a social network that whether I have experience in "cyber security". I didn't know exactly what he was talking about, so I asked him to check out my professional profile which is published somewhere that includes description on what kinds of security related work I did and am doing. But he only slightly re-asked the question to add two words "in attacks". So I told him as CISSP I don't engage in attacks nor do I engage myself in "offensive security".
Maybe I am confused, but I think in everyday language "Cyber Security" has been just a too vague term that could literally mean different things security as referred by different parties. Note that that guy did not even talk about "Cyber Warfare" here. So, is there a true and established definition of "Cyber Security" that I might not have been aware of, thus rendering that question incomprehensible to me?
"Cyber" is an umbrella term encompassing both offensive and defensive security aspects which is primarily used in goverment/military in the US, and in the MD/DC/VA area. I've had the title "Sr. Cybersecurity Specialist" at an insurance company, for instance. The roots are military, to draw distinction from the physical or "kinetic" world. In terms of warfare, a "cyber response" would be hacking back or something like Stuxnet. A "kinetic response" would be dropping a bomb.
Much like how APT (asia-pacific threat) was coopted by marketers (advanced persistent threat), cyber has also been coopted by marketers trying to sell into the government and military space. saying you're in "cyber" and not "network security" is the ticket, like claiming to be a "cryptocurrency" company when you're really selling ice tea. Stretching the term causes it to lose meaning, and that sews the confusion you're feeling. So, if you do "network security," "computer security", "information security," "information assurance," "offensive security," "penetration testing", or "ethical hacking" you're doing "cyber" whether you know it or not. But if you don't live in or around the DC area and aren't looking to work for the military industrial complex you can probably just not worry about it. I moved to Austin earlier this year, and people mostly say cyber ironically.
This all may be different in other countries, though.
No, I don't work for military, governments or companies that provide services to them.
Thanks. If a big company is recruiting for somebody in "cyber security" (like your case, insurance companies tend to be big), what does that typically entail? Is "hacking back" or taking a more offensive position part of the agenda or actually not necessarily the case, and it could just mean literally anything? Of course, if a JD is available hopefully that would be a bit more clear, but assume that it is not (yet) available.
Completely agree with WDF on his first point, hack back's etc are not within the competencies(legal rather than technical) of anyone other than those duly authorized by governments, and frankly that is up for debate - legal for/by whom against which target? Opinions differ radically...
The biggest challenge I see with it is how do you know who you are attacking? Attribution is very difficult - Even at the top their level it's all too easy to stage a false flag operation, and these things can escalate at wire speed.
For me I guess It boils down into the offensive and defensive, but the real magic is in intelligence, timely, accurate an actionable - cyber deception is probably the most interesting defensive art right now - tying up the adversary in networks you control and finding out their intent as well as exhausting their resources seems like the closest you can get to safe active defenses. Of course if an attacker finds out they may not be so happy, so make sure your tar baby is authentic looking, and you can throttle/pull the plug so quickly so your network doesn't find itself running a DDOS against a state actor.
Cyber security in attacks can mean several things also. Experience defending against attacks or doing the attacking? Does the experience, if it is defending them, revolve around detection, mitigation, prevention, reverse analysis, source attribution. damage repair, etc? If it is in performing attacks, is it malware creation, penetration testing (both blue, red and purple teaming), hacking back (mentioned above)?
If someone were to send me such a short response I would ask if they could send over the job description so I could verify if my experience fit the job. The brevity of their responses leads me to question how good they would be to work for.