12 things every computer security pro should know

Few complex professions change with the velocity of IT security. Practitioners are faced with an average of 5,000 to 7,000 new software vulnerabilities a year. Last year that number was a gob smacking 16,555. That’s like springing 13-45 new leaks in your defenses every day, day after day, year after year. That’s on top of the tens of millions of unique malware programs that threaten your IT environment each year and all the human adversaries who are also trying.

Amid this deluge of constant threats, a single slip-up could compromise the crown jewels and put your company in an unwanted media spotlight, hurt your revenues, and get people fired.

This is not to say that your team can’t successfully fight back. Of course it can – and will.

Here are twelve things every computer security professional should know to successfully fight the good fight.

1. Your opponents’ motives

You can’t begin to successfully fight bad guys without understanding who they are and why they are after you. All attackers have their own origin stories and objectives, and these two things drive everything they do and how they do it.

Today, the hackers who threaten you do so with serious motives. Most fall into one of these categories:

• Financial
• Nation-state sponsored/cyberwarfare
• Corporate espionage
• Hacktivists
• Resource theft
• Cheating in multiplayer games

Even with today’s bad guys, though, every attack is not the same. Understanding the motive for it is an important key to solving it. Consider the ‘why’ along with everything else you do. That is the best way to determine what type of target your networks present. It might also offer clues on how to defeat your opponent.

Related reading:

• What hackers do: their motivations and their malware.
• From phish to network compromise in two hours: How Carbanak operates
• Cybercrime groups raise the bar for security teams by borrowing APT techniques

2. Types of malware

There are three major types of malware: computer virus, trojan horse, and worm. Any malware program is an amalgam of one or more of these classifications.

A computer virus is a malware program that hosts itself inside of other programs, files, and in digital storage to replicate. A trojan horse is a malware program claiming to be something legitimate to trick humans into setting it in motion. A trojan horse does not self-replicate; it relies on the curiosity of humans to help it spread. A worm is a self-replicating program that uses code to spread itself. It does not need other host programs or files.

It’s important to understand these basic categories of malware so that when you do find a malware program, you can parse together the most likely scenario about how it got into your systems. This will help you understand where to look for the malware’s origination and understand where it will likely spread further.

Related reading:

• 9 types of malware and how to recognize them
• Famous malware threats: Where are they now?
• 6 ways malware can bypass endpoint protection

3. Root cause exploits

Each year IT security professionals face thousands of new software vulnerabilities and millions of unique malware programs, yet only twelve different root cause exploits allow each of those into someone’s environment. Stop the root cause exploits and you’ll stop hacking and malware. Here are the ten types of root exploits:

• Programming bug
• Social engineering
• Authentication attack
• Human error
• Misconfiguration
• Eavesdropping/man in the middle (MitM)
• Data/Network traffic malformation
• Insider attack
• Third-party reliance issue
• Physical attack

None of this should be unfamiliar. But that doesn’t mean it’s easy.

Related reading:

• Known vulnerabilities pose biggest IT security threats
• Five social engineering tricks and tactics employees still fall for
• What is an insider threat? 7 warning signs to watch for

4. Cryptography and data protection

Digital cryptography is the art of making information secure against unauthorized access and modification. Every IT security professional should learn the basics of cryptography, including asymmetric encryption, symmetric encryption, hashing, and key distribution and protection.

Data protection requires a lot of cryptography. Complete data protection also demands that the data be lawfully collected and used, that you guard its privacy against unauthorized access, and that you back it up securely to prevent malicious modification and to ensure availability. Data protection is becoming increasingly required by law. (The Geek Stuff has a great tutorial on cryptography basics.)

While you’re at it, make sure you keep up on the progress of quantum computers and their ability to crack modern day public key crypto. There’s a chance that in the next 10 years or less that you’ll be forced to move all the public key crypto you are used to (e.g. RSA, Diffie-Hellman, etc.) to cryptography known as post-quantum ciphers. The whole world is readying for the move, including the United States’ National Institute of Standards and Technology. Don’t be caught unaware of the coming drastic changes.

Related reading:

• How quantum computers will destroy and (maybe) save cryptography
• How MIT’s Fiat Cryptography might make the web more secure
• Are you crypto-agile?

5. Networking and network packet analysis

You will be able to recognize the truly great IT security professionals on your team because they understand networks at the packet level. They are facile with network basics such as protocols, port numbers, network addresses, layers of the OSI model, the difference between a router and a switch, and are able to read and understand what all the various fields of a network packet are used for.

To understand network packet analysis is to truly understand networks and the computers that use them. Geeksforgeeks has a quick tutorial on network basics and Vice has a quick beginning course on network packet analysis.

Related reading:

• Network traffic analysis tools must include these 6 capabilities
• Review: Corelight adds security clues to network packet analysis
• What is Wireshark? What this essential troubleshooting tool does and how to use it

6. Basic common defenses

Almost every computer has common basic defenses, which good IT pros consider and apply. These are the “standards” of computer security. They include:

• Patch management
• End-user training
• Firewalls
• Antivirus
• Secure configurations
• Encryption/cryptography
• Authentication
• Intrusion detection
• Logging

Understanding and using the basic common IT security defenses is a must for every IT security professional. But don’t stop at simply knowing about them. Know, too, what they are good at stopping and what they fail to do.

Related reading:

• The three most important ways to defend against security threats
• 10 topics every security training program should cover
• 6 steps for a solid patch management process

7. Authentication basics

The best security professionals understand that authentication is more than the process of putting in a valid password or satisfying a two-factor ID test. It’s much more involved than that. Authentication begins with the process of providing a unique, valid identity label for any namespace – such as the email address, user principal name, or logon name.

Authentication is the process of providing one or more “secrets” that are only known by the valid identity holder and his authentication database/service. When the valid identity holder types in the correct authentication factor(s), this proves that the authenticated user is the valid owner of the identity. Then, after any successful authentication, the subject’s attempted accesses to protected resources is examined by a security manager process known as authorization. All logon and access attempts should be documented to a log file.

Like everything else in security, authentication is evolving. One of the newer concepts, and one that I believe is among the most likely to take hold, is continuous user authentication, in which everything a logged in user does is constantly re-evaluated against a established pattern.

Related reading:

• What is the future of authentication? Hint: It’s not passwords, passphrases or MFA
• How to evaluate web authentication methods
• What is two-factor authentication (2FA)? How to enable it and why you should

8. Mobile threats

There are now more mobile devices than people on the planet and most people get most of their information through a mobile device. Because humankind’s mobile prowess is only likely to increase, IT security professionals need to take mobile devices, mobile threats, and mobile security seriously. The top mobile threats include:

• Mobile malware
• Privacy invasion/theft
• Ransomware
• Phishing attacks
• Spyware
• Data or credential theft
• Picture theft
• Unsecured wireless

There isn’t usually much difference between mobile threats and computer threats, but there are some differences. And it is a great IT pro’s job to know what those are.

Related reading:

• 7 mobile security threats you should take seriously in 2019
• One in three organizations suffered data breaches due to mobile devices
• Best Android security app? Why you’re asking the wrong question

9. Cloud security

Pop quiz: What four factors make cloud security more complex than traditional networks?

Every IT pro should be able to easily pass this test.

The answer is:

• Lack of control
• Always available on the internet
• Multitenancy (shared services/servers)
• Virtualization/containerization/microservices

The joke is (and isn’t) that cloud really means “other people’s computers” and all the risk that entails. Traditional corporate administrators no longer control the servers, services, and infrastructure used to store sensitive data and service users. You have to trust that the cloud vendor’s security team is doing its job. Cloud infrastructures are almost always multitenant architectures, where keeping different customers’ data separate can be complicated by virtualization and the recent containerization and development of microservices. Heralded by some as a way to help make security easier to do, each development usually makes the infrastructure more complex. And complexity and security do not usually go hand-in-hand.

Related reading:

• The dirty dozen: 12 top cloud security threats
• Top cloud security controls you should be using
• How do you secure the cloud? New data points a way

10. Event logging

Year after year, the research shows that the most missed security events were right there in the log files all along, just waiting to be discovered. All you have to do is look. A good event-log system is worth its weight in gold. And a good IT pro knows how to set one up and when to consult it.

Here are the basic steps of event logging, which every IT security professional should know:

• Policy
• Configuration
• Event log collection
• Normalization
• Indexing
• Storage
• Correlation
• Baselining
• Alerting
• Reporting

Related reading:

• Why you need centralized logging and event log management
• Detect the undetectable: Start with event logs
• Event log management made easy

11. Incident response

Eventually every IT environment suffers a failure of its defenses. Somehow, a hacker or their malware creation makes it through. Havoc, naturally, ensues. A good IT pro is ready for this with an incident response plan, which should be put into action immediately. A good incident response is essential. It can be the difference between an event that ruins your day and one that ends up in the media and tarnishes the character of your company. The basics of incident response include:

• Respond effectively and in a timely fashion
• Limit damage
• Conduct forensic analysis
• Identification of the threat
• Communication
• Limit future damage
• Acknowledge lessons learned

Related reading:

• 6 steps for building a robust incident response plan
• What it takes to be a security incident responder
• Two incident response phases most organizations get wrong

12. Threat education and communication

Most threats are well known and re-occur frequently. Every stakeholder from end users to senior management and the board of directors needs to know the current top threats against your company and what you are doing to stop them. Some of the threats you face, like social engineering, can only be stopped by educating the people in your company.  So the ability to communicate is often the thing that separates a great IT pro from a mediocre one.

No matter what technical controls you deploy, every year something will make it past them. So, make sure your stakeholders are prepared. At the very least, the following items should be covered in your education program:

• The most likely, significant, threats and risks against the organization
• Acceptable use
• Security policy
• How to authenticate and what to avoid
• Data protection
• Social engineering awareness
• How and when to report suspicious security incidents

Related reading:

• 4 steps to launch a security awareness training program
• 12 tips for effectively presenting cybersecurity to the board
• 5 reasons to take a fresh look at your security policy