From a novice student to an information security engineer in 8 months. My experience of starting in a direction that everyone likes

It's summer, and for many students the pressing question has become: where should I go for internship? The good news is that most employers start internship programs around this time.

Last year, I myself was looking for a company to start my career, I didn’t understand where to start, and I didn’t expect at all that I could grow so quickly. So, below the cut is my experience of a quick and comfortable start in information security in a large company!

Where did I start?

I started looking for a job after finishing my third year at the National Research University Higher School of Economics with a degree in computer security. At that time, the technical basic subjects were already behind me, and I began to study programs in a specialty such as the basics of information security. At our faculty, design activities are required, so by that time I was able to gain experience in developing a tool for designing program logic integrated circuits.

I started with the resume. Here many people are faced with the fear of a “blank page” and do not know what to write. There is a common misconception that the employer will not be interested in your success at school and university. This is not true, but the main thing is not to overdo it. For example, I added information about successes in computer science Olympiads, mentioned the experience of speaking at scientific conferences and the experience of practical work at a university. To create a resume, I used a ready-made template on HH.ru and looked for a job there.

During the search, I realized that you need to always be ready to communicate with a potential employer: take calls from all numbers, constantly check your email and instant messengers.

It can be helpful to read job descriptions to understand what skills and knowledge are in demand and try to quickly fill knowledge gaps. It immediately became clear to me that it was worth studying network technologies, laws in the field of information security and repeating information security tools.

I think that knowledge of networks will be useful in almost any company, so I recommend that you read the series of articles “Networks for the little ones” You can also dive into the nuances of legislation in the area you are interested in – this will often appear in job vacancy texts.

Don't be afraid of refusals – most likely there will be a lot of them. I was looking for an internship for about a month, applying for vacancies every day, and received dozens of refusals before getting into Jet Infosystems. Unfortunately, I was not given detailed feedback after the interviews, so I never understood the reason for the refusals. Perhaps I lacked knowledge in some areas. But each time I understood better what employers need from young professionals, how to present myself correctly during interviews and, of course, what tasks and corporate culture would be more to my liking.

My colleague wrote in more detail about writing a resume and finding a first job in her instructions.

How to qualify for an internship?

Selection for Jet Infosystems took place in three stages: a homework test, an interview with HR and another task that had to be solved during the meeting, as well as participation in a case club for teams.

Stage 1

After submitting my application, I was sent a task in which I had to implement an information security audit for Romashka LLC and propose measures to improve the organization’s security level.

To complete the tasks, a detailed description of the type of activity and structure of the company, its business processes and the technologies used was provided. A company logic diagram was also provided.

Example of an organization description

The Romashka LLC company is engaged in growing flowers and selling them on the retail market and is a full-cycle company (from production to sale).

The company has the following sites:

• central office in Moscow;

• farm with warehouse in Zelenograd;

• five retail points of sale in Moscow.

The company employs 67 employees:

• general director – 1;

• HR service – 3;

• accounting – 3;

• finance service – 2;

• marketing department – 3;

• security service (including security guards) – 4;

• economic services (logistics, storekeepers, loaders, drivers, gardeners/agronomists, technologists) – 25;

• sales department (including cashiers/florists at 5 retail outlets) – 15;

• developers – 3;

• IT service – 6;

• Information security service – 1.

The logical diagram of the company is presented below for clarity:

What advanced methods does the company use to grow flowers:

• sensors have been introduced into the soil that monitor oxygen levels, fertilizer levels, etc.;

• an air conditioning system is used with the ability to centrally change the temperature and humidity of the air (implemented by the chief technologist from the central office based on the data received);

• technology workers use tablets to collect information from sensors and transmit information via Wi-Fi over the Internet to the Crop Monitoring System.

The Crop Production Monitoring System application, which operates 24/7/365, is critical for the company. The application is in-house developed and also allows for a technological efficiency of 196% compared to conventional flower growing methods.

In addition, the company has the following IT services and IS, which are physically located in the server room at the central office:

• Active Directory (1 forest, 1 domain, 1 domain controller);

• mail service (Exchange), including Outlook Web App;

• “1C: Salary and personnel management”;

• “1c accounting”;

• “1C: Retail”.

Romashka LLC has been in existence for 1 year and shows phenomenal economic results. Just a month ago, the company hired the head of the information security service, who, in the first month of his work, described the current state of affairs.

List of CIS notes:

• There are no formalized documents in the field of information security, except for the information security policy, which was downloaded from the Internet and slightly adapted by IT service employees.

• At the moment, no measures are being taken to protect personal data in the company.

• The company has a network engineer in the IT service who designed and implemented the network infrastructure, but there is no project documentation. All the information is in the network engineer’s head. There is only a diagram (l2-l3) of the network drawn in pencil on an A4 sheet, which hangs at the network engineer’s workplace.

• The network is segmented into several vlans on the core switch. The following segments are divided into: 1) Workers' workstations in the office, telephones and office equipment; 2) IT services and IP; 3) Workplaces of cashiers in retail branches.

• The only source of information about network problems is user complaints.

• After an accident on the central switch, restoring the network's functionality took more than three days, despite the fact that replacement equipment was provided by the manufacturer the very next day.

• The mail service (including OWA, ActiveSync, smtp and imap) is available to company users from the Internet via port forwarding on the edge router.

• IS based on 1C and Active Directory administration interfaces are available only from internal corporate segments.

• The Crop Production Monitoring System application has a client-server architecture:

1. the client part is installed manually on Android tablets of technologists with root rights;

2. the server part of the application is deployed in the server room at the central office and published on the Internet via port forwarding on the edge router;

3. information from tablets is transmitted via the Internet using the TLS 1.1 protocol.

• Cash desks in retail branches rent RBS terminals from the Bank to make payments for purchases.

• There was no differentiation of access rights; all users were assigned the rights they requested, but at the same time, users were prohibited from working under a local administrator account.

• Anti-virus solutions with centralized management capabilities are installed at employee workstations in the central office.

• The company is growing quite quickly, there is no up-to-date register of assets, computers and tablets are purchased “spontaneously and chaotically.”

• Software on computers and tablets is updated in accordance with default automatic update settings; software on servers is updated if incorrect operation of the software is detected based on user complaints.

• Users are prohibited from using flash drives and any other removable storage media.

• Due to the epidemiological situation, central office employees partially (in shifts) switched to remote mode; to access workstations on the corporate network, the IT service organized VPN access based on an Open Source solution with single-factor domain authentication from users’ personal home computers.

• During the existence of the company, several people left, their accounts are still active in AD.

• Users working on the farm and warehouse are prohibited from taking out tablets and installing any software themselves.

• Only 3 employees changed (on their own initiative) the password for their domain account during 1 year of work.

• To access the IT infrastructure, one SSH tunnel was opened, which was known only to the network engineer.

• Backup is performed only for the critical Crop Monitoring System application.

• Vulnerability scanning has never been performed.

• The company does not have any information security systems, with the exception of anti-virus software.

• Developers periodically add to the application and force updates manually on tablets. No information about the application is provided to anyone, not even to the newly hired head of the information security service.

• All developers work remotely.

• The source codes of the Crop Production Monitoring System application are stored directly on the application server.

• The company also cooperates with various suppliers of fertilizers and wholesale partners for the sale of flowers.

It took me several days to solve the problem. It was interesting to understand the features of the company’s technology stack and its potential vulnerabilities. I had to read a lot about different technologies and differences in versions, as well as known vulnerabilities in them.

The task seemed easy to me, especially because of the detailed description. Moreover, ChatGPT helped me identify areas that should be examined more thoroughly. After this, I was invited to the next stage.

Stage 2

Before him, HR asked everyone to read the article about clouds, about which they then asked questions. The main goal is to understand how I learned a new topic. The article itself is prepared annually by the company’s experts; it can relate to any topic in information security that a novice specialist should be familiar with.

Article structure example

Let's imagine that this year the theme of SOC will be taken as a basis. What our experts will definitely include in the article:

— determination of SOC;

— SOC tasks;

— what does the SOC consist of;

— SOC organization model;

— technological core of SOC.

The task was followed by a personal conversation with HR, during which they told me in more detail about the information security center, its structure and culture, described the areas of work, and also described the atmosphere in the Jet Infosystems company. In the process of communicating with HR, we talked about various issues related to security and related areas.

Also at this meeting, HR will find out in which direction of information security you would like to develop in the future. If you haven’t decided yet, don’t worry: they will help you choose the right direction. At first, I also didn’t know what exactly I wanted to do, but when I got into my department, I realized that they had found the right place for me.

Stage 3

The final selection was held in the format of a case club. Everyone was divided into teams of 4–5 people and asked to solve a problem close to the working one.

Together with my teammates, we had to develop a plan to improve information security at Company N. We could have shared responsibilities if we wanted, but we did without it and did everything together.

Previously, we received several introductory information about the customer in the following format:

Example of a company description

A large Russian bank with representative offices in the Russian Federation. The headquarters is located in Moscow, branches are distributed throughout major cities. The new CIO had a task: to put information security in order and plan the budget for the next year.

Most of the information could only be learned during meetings with the IT and information security departments, as well as with the company’s management. We had to prepare for them – at least sketch out an approximate pool of questions that would help us solve the problem. Naturally, we did not communicate with a real customer, but with specialists from the Jet Infosystems company, who “played out” the roles assigned to them.

The most difficult thing was the ambiguity of the answers. As in reality, there are elements of infrastructure that no one knows anything about for sure, but nevertheless they function. After conversations with all representatives of the “customer”, we compiled a description of the company and its most valuable IT assets. Based on this, a plan was developed to improve the level of information security in the organization. The next no less difficult step was the presentation and defense of our ideas.

Afterwards we received voluminous feedback: which decisions were successful and which decisions we made wrong. For example, we forgot to offer the customer to install an antivirus.

From trainee to engineer

After going through all the stages, they made me an offer and asked me to work in the protection department of automated process control systems and control information systems. Our customers are industrial enterprises for which process continuity is very important. And therefore, specialists often have to travel to their facilities, which may be located in hard-to-reach places – for example, in Yakutia.

During the probationary period, each intern has his own mentor, who helps him quickly adapt to the company, introduces him to colleagues, gives him a tour of the office, tells him how key business processes work, and helps with all questions. But in principle, you can turn to anyone for help; all colleagues are very responsive. Also, at the adaptation stage, a meeting with the HR director is very helpful, where they talk about the history of the company, management, large-scale projects and “goodies” for employees.

What seemed most comfortable to me: there are clear criteria for many things. For example, in order to pass the probationary period, you must complete the tasks specified in the offer. This way, everyone understands what they will be doing during these three months, what exactly needs to be studied and done to complete the assigned tasks. One of my tasks during the probationary period was to get acquainted with Vipnet Xfirewall. Currently, as part of an individual development plan, I am studying Cyber ​​Backup and Kaspersky Industrial CyberSecurity.

There were also difficulties in the adaptation process, but there were not many of them. It was difficult to get used to the fact that all my colleagues communicate on a first-name basis—it took me about two months.

If you are still studying, then the most obvious question is: how to combine work and study? I can’t speak for everyone, but I did it well both then and now. Typically you will be asked to work between 25 and 40 hours per week. You can choose a time that is comfortable for you depending on the workload at the university. I chose 25 hours, 16 of which were spent in the office, and the remaining time worked remotely. Working hours can be flexibly adjusted to pairs so that there is no overlap, or you can work during lectures, as many do. But, in my opinion, work should not interfere with studies.

Try to determine development vectors for yourself at the start of your internship. Few people think about career growth at the beginning of their journey and pursue the goal of gaining at least some experience. This is not entirely correct; it is better to immediately think about the future, so as not to regret the time spent later. It’s great if the company provides a Performance review or IPR – this helps to determine your goals for the near future and move clearly according to plan. This approach helped me grow to an engineer in 8 months.

During my time at Jet Infosystems, I got involved in many interesting projects, got acquainted with key information security products and worked with professionals with extensive experience. Internships at our information security center start every year at the beginning of summer. If you are interested, register at link.