So you want to be a security researcher?

Ever consider conducting your own security research but didn’t know where to start? DataGravity CISO Andrew Hay has some advice for you.

It doesn’t seem that a week goes by without some new device or application being discovered vulnerable – from IoT devices to big enterprise applications, proclaimed Andrew Hay, CISO at DataGravity, during a recent presentation at the MISC security conference.

In his talk, MISC 2016: Bootstrapping A Security Research Project, Hay said that anyone can perform security research – and it’s often not the technical details of the research itself that is the challenge for would-be researchers. It’s deciding on what to research and how to get going on that work, and knowing when it’s complete.

Security research isn’t only fun, it provides a way to potentially discover new things, or even help put misconceptions to rest, help improve the security of a software application or device, and raise security awareness. But, as Hay made clear during his talk, there’s more to consider and lot more work to be done than running a fuzzer against an app, and that there are important choices to be made before diving in.

Hay laid out everything anyone who would be interested in trying their hand at security research would need to know before they get started. Hay would know, recently he and his partner saw the release of the high tech Hello Barbie Doll as a catalyst for research and published Hello Barbie App, Hello Security Issues Security Risks Discovered with Mattel Hello Barbie Demonstrates Internet of Things Security Concerns research just before Christmas.

“I knew kids were going to be playing with this, and I wondered what type of information was going to be stored in the cloud infrastructure,” said Hay. “How intrusive was this toy going to be on child's privacy or a parent’s privacy?” said Hay.

That’s the key to picking a research subject: knowing what questions you want answered, and could you gain access to the data you’d need to try to answer that question, and if you could find the answer how would you use the answer? “With the Hello Barbie Doll, for example, I wanted to know what type of information could be stored in cloud infrastructure that may be detrimental to the privacy of a child or a parent. I don't have kids, so it wasn’t a big concern for me, but I did think this would be interesting from a research perspective,” said Hay.

Hay cited six types of questions security researchers can use to approach their subject:

Descriptive: A question that seeks to summarize a characteristic of a set of data.

Exploratory: A question in which you analyze the data to see if there are patterns, trends, or relationships between variables.

Inferential: restatement of proposed hypothesis as a question and would be an and would be answered by analyzing a different set of data.

Predictive: You are less interested in what causes an outcome, just what predicts whether an outcome will occur.

Causal: asks about whether changing one factor will change another factor, on average, in a population.

Mechanistic: the fundamental processes involved in or responsible for an action, reaction or other natural phenomenon.

Where to get research ideas? Hay listed five areas in tech: circuitry (how the schematics and hardware code make it work), hardware, the platform (the combined operating system and compute platform of the device and its hosting provider), software (the UI/UX and backend software required to make the device operable) and the network communications involved between the device and its control/management software. Hay listed them from his perspective of most difficult to easiest.

“This is very subjective, and other’s mileage may vary,” says Hay, who came from a strong networking background, so studying packet capture and network flows and what’s happening from a packet level is easy for him, and the type of research he’s drawn to. Others may appreciate straight application security, still others may favor wireless and RF.

Because of the diversity of skills needed for many research efforts, it often makes sense to form teams, he advised. One person may know hardware, another networking, and another application security, for instance. “For me, the network level is easy. You can look and see what is going on. Is it encrypted or not, how often does the device talk. Is it phoning home somewhere evil? However, with software there is a lot of intricacies that you can pick through and get really good information. This would be the operating system or even the hosting provider if we're talking about software or platform-as-a-service,” said Hay.

There are practicalities one must consider when choosing an area of research, too. If one wants to research hardware, they’re going to need space for the tools, such as an oscilloscope and digital multimeter, you'd probably need room for a dedicated work area. If there’s no space, or ready access to such space, that kind of lab may not be practical. “It’s not going to work in my two-bedroom apartment so I'm going to stay away from hardware for a while, but there is a lot of really cool stuff that you can do when you have the right equipment,” Hay said.

One of the most important things to understand when conducting research is knowing when one is done. Whether it’s researching in an IoT device, an enterprise app, a consumer app, security software, or whatever, Hay sees four reasons to stop researching: There’s a hard time restraint, or there’s the diminished relevancy to going forward, such as maybe someone will go to market with you with their research that completely blows yours out of the water; or you have successfully answered the question posed in your research, or you actually failed to answer the question or to prove your hypothesis.

While many think that failing to answer the question or prove the original hypothesis isn’t a “failure,” it’s actually a success. “Disproving a hypothesis is successful, scientifically that’s valid. It may not be the ideal outcome but it’s still successful,” said Hay. Which brings up: what is successful research? “Was some measure of knowledge created? Can you do something, or make new decisions as a result of the research? Have you created a report, presentation and application script to either fix, refute or prove your hypothesis,” asked Hay.

If so, your research is a success.

Of course you are going to need to tell the world of your research and reveal your data. That’s something every researcher must be prepared for. “This is really a pipeline model for what should do once you have the data, “You measure it, you analyze it, you create code to reproduce it, you create your presentation code. You take the information that you get, and you can summarize it in a paper, article or in a blog post. Blogs are a very quick way to get the message out,” said Hay.

Finally, be prepared to defend your data. Your findings are going to be challenged, and possibly vigorously so, said Hay. “You have to be able to take that. You have to have very thick skin if you want to defend your data or challenge someone else's research. There will be people that will come at you and say that you are wrong,” said Hay.

Join the CSO newsletter!

Error: Please check your email address.

More about CSOMattel

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by George V. Hulme

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts