12 things every IT security professional should know

Fighting the good fight takes specialized knowledge. Here's the baseline of what all security pros should know.

1 intro security executive thinking woman face binary
Getty Images

Fighting back

Few complex professions change with the velocity of IT security. Practitioners are faced with an average of 5,000 to 7,000 new software vulnerabilities a year. That’s like springing 15 new leaks in your defenses every day. That’s on top of the tens of millions of unique malware programs that threaten your IT environment each year.

Amid this deluge of constant threats, a single slip-up could compromise the crown jewels and put your company in an unwanted media spotlight, hurt your revenues, and get people fired.

This is not to say that your team can’t successfully fight back. Of course it can – and will.

Here are twelve things every computer security professional should know to successfully fight the good fight.

2 man with binoculars data breach research spy
Getty Images

Your opponents’ motives

You can’t begin to successfully fight bad guys without understanding who they are and why they are after you. Every attacker has their own origin story and objectives, and these two things drive everything they do and how they do it.

Today, the hackers who threaten you do so with serious motives. Most fall into one of these categories:

  • Financial
  • Nation-state sponsored/cyberwarfare
  • Corporate espionage
  • Hacktivists
  • Resource theft
  • Cheating in multiplayer games

Even with today’s bad guys though, every attack is not the same. Understanding the motive for it is an important key to solving it. Consider the ‘why’ along with everything else you do. That is the best way to determine what type of target your networks present. It might also offer clues on how to defeat your opponent. I analyze hacker’s motives more thoroughly in What hackers do: their motivations and their malware.

3 types of malware computer virus trojan horse  worm
Getty Images

Types of malware

There are three major types of malware: computer virus, trojan horse, and worm. Any malware program is an amalgam of one or more of these classifications.

A computer virus is a malware program that hosts itself inside of other programs, files, and in digital storage to replicate. A trojan horse is a malware program claiming to be something legitimate to trick humans into setting it in motion. A trojan horse does not self-replicate; it relies on the curiosity of humans to help it spread. A worm is a self-replicating program that uses code to spread itself. It does not need other host programs or files.

It’s important for to understand these basic categories of malware so that when you do find a malware program, you can parse together the most likely scenario about how it got into your systems. This will help you understand where to look for the malware program’s origination and understand where it will likely spread further.

4 .root cause exploits breach raining data binary psd
Getty Images

Root cause exploits

Each year IT security professionals face thousands of new software vulnerabilities and millions of unique malware programs, yet only twelve different root cause exploits allow each of those into someone’s environment. Stop the root cause exploits and you’ll stop hacking and malware. Here are the twelve types of root exploits:

If any of this is unfamiliar, do some research. You can learn more about the importance of focusing on root causes by reading this white paper I wrote on the topic.

5 cryptography and data protection
Getty Images

Cryptography and data protection

Digital cryptography is the art of making information secure against unauthorized access and modification. Every IT security professional should learn the basics of cryptography, including asymmetric encryption, symmetric encryption, hashing, and key distribution and protection.

Data protection requires a lot of cryptography. Complete data protection also demands that the data be lawfully collected and used, that you guard its privacy against unauthorized access, and that you back it up securely to prevent malicious modification and to ensure availability. Data protection is becoming increasingly required by law. A great tutorial on cryptography basics can be found here.

6 network packet analysis data binary world
Getty Images

Networking and network packet analysis

You will be able to recognize the truly great IT security professionals on your team because they understand networks at the packet level. They are facile with network basics such as protocols, port numbers, network addresses, layers of the OSI model, the difference between a router and a switch, and are able to read and understand what all the various fields of a network packet are used for.

To understand network packet analysis is to truly understand networks and the computers that use them. A quick tutorial on network basics can be found here. A quick beginning course on network packet analysis can be found here.

7 best common defenses sword shield warrior knight security
Getty Images

Basic common defenses

Almost every computer has common basic defenses, which good IT pros consider and apply. These are the “standards” of computer security. They include:

  • Patch Management
  • End-User Training
  • Firewalls
  • Antivirus
  • Secure Configurations
  • Encryption/Cryptography
  • Authentication
  • Intrusion Detection
  • Logging

Understanding and using the basic common IT security defenses is a must for every IT security professional. But don’t stop at simply knowing about them. Know, too, what they are good at stopping and what they fail to do. If you want to know which two defenses help decrease the most risk, read this.

8 authentication basics password identity protected security
Getty Images

Authentication basics

The best security professionals understand that authentication is more than the process of putting in a valid password or satisfying a two-factor ID test. It’s much more involved than that. Authentication begins with the process of providing a unique, valid identity label for any namespace – such as the email address, user principal name, or logon name.

Authentication is the process of providing one or more “secrets” that are only known by the valid identity holder and his authentication database/service. When the valid identity holder types in the correct authentication factor(s), this proves that the authenticated user is the valid owner of the identity. Then, after any successful authentication, the subject’s attempted accesses to protected resources is examined by a security manager process known as authorization. All logon and access attempts should be documented to a log file. To learn about the most likely future changes in authentication, check out my story on this topic at CSO: “What is continuous user authentication?”

9 mobile threats spyware malware unsecured wireles
Getty Images

Mobile threats

There are now more mobile devices than people on the planet and most people get most of their information through a mobile device. Because humankind’s mobile prowess is only likely to increase, IT security professionals need to take mobile devices, mobile threats, and mobile security seriously. The top mobile threats include:

With many mobile threats, there isn’t much difference between how they threaten a mobile device or a computer. But there are somedifferences. And it is a great IT pro's job to know what those are. Any IT professional not familiar with the particulars of mobile devices should become familiar ASAP. CSO has an entire section dedicated to mobile security. In particular, Stacy Collett wrote a relevant article on mobile threats that is worth reading.

10 cloud security breach virtualization wireless
Getty Images

Cloud security

Pop quiz: What four factors make cloud security more complex than traditional networks?

Every IT pro should be able to easily pass this test.

The answer is:

  • Lack of control
  • Always available on the internet
  • Multi-tenancy (shared services/servers)
  • Virtualization/containerization/microservices

The joke is (and isn’t) that cloud really means “other people’s computers” and all the risk that entails. Traditional corporate administrators no longer control the servers, services, and infrastructure used to store sensitive data and service users in the cloud. You have to trust that the cloud vendor’s security team is doing its job. Cloud infrastructures are almost always multi-tenant architectures, where keeping different customers' data separate can be complicated by virtualization and the recent containerization and development of microservices. Heralded by some as a way to help make security easier to do, each development usually makes the infrastructure more complex. And complexity and security do not usually go hand-in-hand. Want to dig deeper into this topic? I recommend starting with this article on cloud security.

11 event logging
Getty Images

Event logging

Year after year, the research shows that the most missed security events were right there in the log files all along, just waiting to be discovered. All you have to do is look. A good event-log system is worth it’s weight in gold. And a good IT pro knows how to set one up and when to consult it.

Here are the basic steps of event logging, which every IT security professional should know:

  • Policy
  • Configuration
  • Event log collection
  • Normalization
  • Indexing
  • Storage
  • Correlation
  • Baselining
  • Alerting
  • Reporting

I dig into more detail on event logging basics in this story at InfoWorld.

12 incident response life preserver survival disaster recovery
Getty Images

Incident response

Eventually every IT environment suffers a failure of its defenses. Somehow, a hacker or their malware creation makes it through. Havoc, naturally, ensues. A good IT pro is ready for this with an incident response plan, which should be put into action immediately. A good incident response is essential. It can be the difference between an event that ruins your day and one that ends up in the media and tarnishes the character of your company. The basics of incident response include:

  • Respond effectively and in a timely fashion
  • Limit Damage
  • Conduct Forensic Analysis
  • Identification the Threat
  • Communication
  • Limit Future Damage
  • Acknowledging Lessons Learned

Richard Bejtlich covers the basics of incident response in more details in this article at CSO.

13 communicate security strategy threat education
Getty Images

Threat education and communication

Most threats are well known and re-occur frequently. Every stakeholder from end-users to senior management and the board of directors needs to know the current top threats against your company and what you are doing to stop them. Some of the threats you face, like social engineering, can only be stopped by educating the people in your company.  So the ability to communicate is often the thing that separates a great IT pro from a mediocre one.

Communication is an essential IT security professional skill. But you can’t simply rely on your charming personality because communication happens through a variety of methods including: face-to-face conversation, written documentation, emails, online learning modules, newsletters, tests, and simulated phishing.

Every good IT pro needs to be able to clearly and effectively communicate using verbal and written methods. When appropriate, she knows how to create or purchase the needed education and communication vehicles. No matter what technical controls you deploy, every year something will make it past them. So, make sure your stakeholders are prepared. At the very least, the following items should be covered in your education program:

  • The most likely, significant, threats and risks against the organization
  • Acceptable use
  • Security policy
  • How to authenticate and what to avoid
  • Data protection
  • Social engineering awareness
  • How and when to report suspicious security incidents

Looking for some hands-on, practical information security education advice? Check out “Ways to improve security education in the New Year” at CSO Online.