Our “So You Want To Be” series interviews men and women in engineering or jobs that require an engineering background to ask about their career, how they got into their line of work, and what their job entails.
Today’s interview is with Andre’ DiMino a Computer Forensic Information Security Systems Engineer. This job entails digital forensics, computer crime investigation, threat analysis, malware and network traffic analysis, botnet research, intrusion detection, and network security monitoring.
Andre’ is a graduate of Fairleigh Dickinson University with a BS in Electrical Engineering. He is also the Co-Founder and former Director of The Shadowserver Foundation, Co-Founder of DeepEnd Research, and most recently worked for the Bergen County (NJ) Prosecutor’s office.
Tell Us a Little About Your Background.
I’ve always had an interest in electronics and how things work so (the decision to study) electrical engineering in college was easy. Its ironic considering what I am doing now – but I entered college with no interest whatsoever in computers. About my 3rd year of EE I was really bit by the computer bug, so I started to focus more on engineering with a computer science angle than on electronic engineering itself.
My first job out of school was working for a company that did hardcore electrical engineering- design engineering, microprocessors, PC manufacturing for defense. It was great exposure not only to the engineering aspects of the commercial world, but also to a lot of different companies and how they were integrating technology and computers into their everyday work.
How did you become a Computer Forensic Information Security Systems Engineer?
The company that I worked for had both test equipment – hardware and software. I was promoted to system administrator for the software networks so I dug into both system and network administration. Various types of protocols, how computers communicated with each other – the architecture between how computers communicated really fascinated me. This exposure eventually led me to work for a company where I was a system administrator for a computer network.
One of my many hats at this job was to run the network. On a Monday morning going through the log I noticed it looked like we were hacked over the weekend.
There were all kinds of telltale signs of this outside group dumping a bunch of files in the network- it didn’t do much damage but it was a hack and I had to know everything about it. “What was this supposed to do?” “What are the IP addresses?” “How did they get in?” They had all kinds of pirated material and we had plenty of storage space so they just took advantage of it. That’s how I migrated from straight IT – getting hacked launched my interest in computer security.
I began studying malware. My love of networking fed into that because I started studying how to detect intrusions, tied together all my knowledge of systems and network administration… I just started to focus on security and especially security as it related to networks.
On a security IRC chat room I met a like-minded guy out of Colorado and we started talking about the malware we were seeing on a day-to-day basis. From there we formed Shadowserver and began chronicling all the computer malware that’s out there. We gathered information and asked more questions– “Which network is connected to who?”, “How does it eventually go from a small system in Iowa to calling back some Ukrainian server?”, etc. Eventually, it all has to talk to some other remote network.
We made it a point to be completely open at Shadowserver – completely whitehat – so that any data we got we would distribute free of charge. We became a data sharing group, a threat analysis group. It was free and open data to security researchers, all run by volunteers, and it became very popular.
One of the byproducts of being in network security is that it always goes back to crime. It always falls back to the question, “What criminal roots are involved?” We needed to get law enforcement more involved and aware of what was going on. They don’t have the time to do the deep diving outside groups would. So we developed public and private partnerships between us and the FBI, International Law enforcement, state and local police departments and began sharing this data – which was just huge at this point.
Around this time I learned the Bergen County Prosecutor’s office was hiring people to do forensics and computer security and I made the leap into forensics.
What education is needed to become a Computer Forensic Information Security Systems Engineer?
If I had to go back and do it over again I’d say you’ll really have to understand the discipline of coding – at least one scripting language. And if you’re doing forensics, you really need to understand network systems architecture and network protocol is indispensable.
Engineering is a great background because it teaches you how to think and not to take things at face value; to dig and understand the ‘why’ behind it. In computer forensic investigation you want to continually ask yourself “Why is this here?”, “Why is something not here?”. No matter what class you’re in, engineering teaches you this approach.
Electrical engineering is a wide area of disciplines you can focus on, but to go down the forensics realm then the network side of things and computer structures are the most important things to focus on. You will need to know things like, “how do the file systems work?” in this field.
Are there any must-have certifications?
I have a love hate relationship with certifications. On one hand, they are great in that they systematically ensure that you work through the subject matter. On the other hand, they can be a crutch to those that feel that a certification demonstrates complete knowledge or experience in a certain area.
With that said, I would say that the SANS training and certs are a good way to learn or specialize in various areas in InfoSec. In the forensics world, the CFCE, EnCE, and ACE are good certs to attain. SANS has good forensic certs as well.
What would you say is the best part of your job? The worst?
The best part of my job is (working for the Bergen County prosecutor’s office) is that its challenging and interesting to develop a timeline of events on a computer that corroborates with real world criminal activity. Given that these events happened in the real world you must constantly ask yourself, “how do they translate to the virtual world? What are the missing pieces?”
The single best result of the work, however, is finding a missing child. You are responsible (as a computer forensics expert) to piece together all the disparate bits of information across a computer, or several, to discover where they might be, who they might be associating with… And assembling all the little scraps of information in a way that makes sense for a police department or a prosecutor to do their jobs is very rewarding.
The worst part of the job is the sheer volume of cases, the need to triage cases between what’s important and what can wait. Then asking yourself, “did I do enough on a case? Did I find everything that needed to be found?” You will always feel like you need to do more.
There is also an immense need to keep up with things: A new vulnerability. New method of anti-forensics. New encryption. You will get the feeling that you’re never quite there. There’s so much to know and never enough time. And if you’re of an engineering mind you expect a sense of completeness, order and discipline… but with the sheer volume of cases and constant learning, you’ll never get that.
Why is engineering an asset to Computer Forensics?
Engineering is a great foundation, it is the baseline. You can go into security. You can go into forensics – and there are new subspecializations within computer forensics all the time. There are host-based, network-based, malware and memory forensic specializations. These are evolving extremely rapidly- especially memory forensics. Many types of attacks won’t be detected without understanding memory forensics and malware.
Engineering especially prepares someone to be a good forensic examiner. It makes you be detail-oriented. If you look at a forensic case from the perspective of having been a detective you’re not going to see the bits and bytes and ones and zeros that an engineer might… and sometimes that is really what is needed to string all the pieces together.
Any other anecdotes you can share about being a Computer Forensic Information Security Systems Engineer?
We had an internship program with some remarkable students. I’d like to emphasize the same thing I tell them:
One, you have to understand you don’t and won’t know everything. Many students come in with the sense that “hey, I’m really really good at this stuff.” And they are, or they wouldn’t be coming into our internship. But you will crash and burn if you think you’ve arrived. You can never stop learning or you’re going to be left behind really soon.
Two, you must give back. You have to teach. As you learn, as you become good, you have to pass that on to others. Everyone in this industry learned from someone else (unlike more conventional careers). It is your responsibility to pass it on to others because it is a symbiotic relationship and its how the industry moves forward.
Last note – as a forensic examiner you have to remain humble. You cannot think you’ve “got this, I’m just going to wing through this case”… you need to be humble and constantly question yourself. Don’t be afraid to ask someone else to look at your work, challenge you, question what you did. You can’t be afraid to take criticism.
Humility will go a long way.
(Tip: Use our advanced search with keywords “malware,” “forensic,” or “threat analysis” in the “All of These Words” field.)
Education Required: High School (mandatory), college education in science and engineering (preferred), certifications (preferred). This job entails constant continued education.
$66,640 – $130,000 for “Network Security Engineers”
$49,068 – $135,909 for “Forensic Computer Analysts”
(According to Payscale.com)
Work Schedule: 9-5 with overtime as-needed. For Law Enforcement Forensics or Incident Response, you are considered available at any time there is an issue that warrants rapid attention.