Few complex professions change with the velocity of IT security. Practitioners are faced with an average of 5,000 to 7,000 new software vulnerabilities a year. Last year that number was a gob smacking 16,555. That’s like springing 13-45 new leaks in your defenses every day, day after day, year after year. That’s on top of the tens of millions of unique malware programs that threaten your IT environment each year and all the human adversaries who are also trying.
Amid this deluge of constant threats, a single slip-up could compromise the crown jewels and put your company in an unwanted media spotlight, hurt your revenues, and get people fired.
This is not to say that your team can’t successfully fight back. Of course it can – and will.
Here are twelve things every computer security professional should know to successfully fight the good fight.
1. Your opponents’ motives
You can’t begin to successfully fight bad guys without understanding who they are and why they are after you. All attackers have their own origin stories and objectives, and these two things drive everything they do and how they do it.
Today, the hackers who threaten you do so with serious motives. Most fall into one of these categories:
- Nation-state sponsored/cyberwarfare
- Corporate espionage
- Resource theft
- Cheating in multiplayer games
Even with today’s bad guys, though, every attack is not the same. Understanding the motive for it is an important key to solving it. Consider the ‘why’ along with everything else you do. That is the best way to determine what type of target your networks present. It might also offer clues on how to defeat your opponent.
2. Types of malware
A computer virus is a malware program that hosts itself inside of other programs, files, and in digital storage to replicate. A trojan horse is a malware program claiming to be something legitimate to trick humans into setting it in motion. A trojan horse does not self-replicate; it relies on the curiosity of humans to help it spread. A worm is a self-replicating program that uses code to spread itself. It does not need other host programs or files.
It’s important to understand these basic categories of malware so that when you do find a malware program, you can parse together the most likely scenario about how it got into your systems. This will help you understand where to look for the malware’s origination and understand where it will likely spread further.
3. Root cause exploits
Each year IT security professionals face thousands of new software vulnerabilities and millions of unique malware programs, yet only twelve different root cause exploits allow each of those into someone’s environment. Stop the root cause exploits and you’ll stop hacking and malware. Here are the ten types of root exploits:
- Programming bug
- Social engineering
- Authentication attack
- Human error
- Eavesdropping/man in the middle (MitM)
- Data/Network traffic malformation
- Insider attack
- Third-party reliance issue
- Physical attack
None of this should be unfamiliar. But that doesn’t mean it’s easy.
4. Cryptography and data protection
Digital cryptography is the art of making information secure against unauthorized access and modification. Every IT security professional should learn the basics of cryptography, including asymmetric encryption, symmetric encryption, hashing, and key distribution and protection.
Data protection requires a lot of cryptography. Complete data protection also demands that the data be lawfully collected and used, that you guard its privacy against unauthorized access, and that you back it up securely to prevent malicious modification and to ensure availability. Data protection is becoming increasingly required by law. (The Geek Stuff has a great tutorial on cryptography basics.)
While you’re at it, make sure you keep up on the progress of quantum computers and their ability to crack modern day public key crypto. There’s a chance that in the next 10 years or less that you’ll be forced to move all the public key crypto you are used to (e.g. RSA, Diffie-Hellman, etc.) to cryptography known as post-quantum ciphers. The whole world is readying for the move, including the United States’ National Institute of Standards and Technology. Don’t be caught unaware of the coming drastic changes.
5. Networking and network packet analysis
You will be able to recognize the truly great IT security professionals on your team because they understand networks at the packet level. They are facile with network basics such as protocols, port numbers, network addresses, layers of the OSI model, the difference between a router and a switch, and are able to read and understand what all the various fields of a network packet are used for.
To understand network packet analysis is to truly understand networks and the computers that use them. Geeksforgeeks has a quick tutorial on network basics and Vice has a quick beginning course on network packet analysis.
6. Basic common defenses
Almost every computer has common basic defenses, which good IT pros consider and apply. These are the “standards” of computer security. They include:
- Patch management
- End-user training
- Secure configurations
- Intrusion detection
Understanding and using the basic common IT security defenses is a must for every IT security professional. But don’t stop at simply knowing about them. Know, too, what they are good at stopping and what they fail to do.
7. Authentication basics
The best security professionals understand that authentication is more than the process of putting in a valid password or satisfying a two-factor ID test. It’s much more involved than that. Authentication begins with the process of providing a unique, valid identity label for any namespace – such as the email address, user principal name, or logon name.
Authentication is the process of providing one or more “secrets” that are only known by the valid identity holder and his authentication database/service. When the valid identity holder types in the correct authentication factor(s), this proves that the authenticated user is the valid owner of the identity. Then, after any successful authentication, the subject’s attempted accesses to protected resources is examined by a security manager process known as authorization. All logon and access attempts should be documented to a log file.
Like everything else in security, authentication is evolving. One of the newer concepts, and one that I believe is among the most likely to take hold, is continuous user authentication, in which everything a logged in user does is constantly re-evaluated against a established pattern.
8. Mobile threats
There are now more mobile devices than people on the planet and most people get most of their information through a mobile device. Because humankind’s mobile prowess is only likely to increase, IT security professionals need to take mobile devices, mobile threats, and mobile security seriously. The top mobile threats include:
There isn’t usually much difference between mobile threats and computer threats, but there are some differences. And it is a great IT pro’s job to know what those are.
9. Cloud security
Pop quiz: What four factors make cloud security more complex than traditional networks?
Every IT pro should be able to easily pass this test.
The answer is:
- Lack of control
- Always available on the internet
- Multitenancy (shared services/servers)
The joke is (and isn’t) that cloud really means “other people’s computers” and all the risk that entails. Traditional corporate administrators no longer control the servers, services, and infrastructure used to store sensitive data and service users. You have to trust that the cloud vendor’s security team is doing its job. Cloud infrastructures are almost always multitenant architectures, where keeping different customers’ data separate can be complicated by virtualization and the recent containerization and development of microservices. Heralded by some as a way to help make security easier to do, each development usually makes the infrastructure more complex. And complexity and security do not usually go hand-in-hand.
10. Event logging
Year after year, the research shows that the most missed security events were right there in the log files all along, just waiting to be discovered. All you have to do is look. A good event-log system is worth its weight in gold. And a good IT pro knows how to set one up and when to consult it.
Here are the basic steps of event logging, which every IT security professional should know:
- Event log collection
11. Incident response
Eventually every IT environment suffers a failure of its defenses. Somehow, a hacker or their malware creation makes it through. Havoc, naturally, ensues. A good IT pro is ready for this with an incident response plan, which should be put into action immediately. A good incident response is essential. It can be the difference between an event that ruins your day and one that ends up in the media and tarnishes the character of your company. The basics of incident response include:
- Respond effectively and in a timely fashion
- Limit damage
- Conduct forensic analysis
- Identification of the threat
- Limit future damage
- Acknowledge lessons learned
12. Threat education and communication
Most threats are well known and re-occur frequently. Every stakeholder from end users to senior management and the board of directors needs to know the current top threats against your company and what you are doing to stop them. Some of the threats you face, like social engineering, can only be stopped by educating the people in your company. So the ability to communicate is often the thing that separates a great IT pro from a mediocre one.
No matter what technical controls you deploy, every year something will make it past them. So, make sure your stakeholders are prepared. At the very least, the following items should be covered in your education program:
- The most likely, significant, threats and risks against the organization
- Acceptable use
- Security policy
- How to authenticate and what to avoid
- Data protection
- Social engineering awareness
- How and when to report suspicious security incidents
Copyright © 2019 IDG Communications, Inc.