Fighting the good fight takes specialized knowledge. Here's the baseline of what all security pros should know. Credit: Metamorworks / Getty Images Few complex professions change with the velocity of IT security. Practitioners are faced with an average of 5,000 to 7,000 new software vulnerabilities a year. Last year that number was a gob smacking 16,555. That’s like springing 13-45 new leaks in your defenses every day, day after day, year after year. That’s on top of the tens of millions of unique malware programs that threaten your IT environment each year and all the human adversaries who are also trying.Amid this deluge of constant threats, a single slip-up could compromise the crown jewels and put your company in an unwanted media spotlight, hurt your revenues, and get people fired.This is not to say that your team can’t successfully fight back. Of course it can – and will.Here are twelve things every computer security professional should know to successfully fight the good fight. 1. Your opponents’ motivesYou can’t begin to successfully fight bad guys without understanding who they are and why they are after you. All attackers have their own origin stories and objectives, and these two things drive everything they do and how they do it.Today, the hackers who threaten you do so with serious motives. Most fall into one of these categories: FinancialNation-state sponsored/cyberwarfareCorporate espionageHacktivistsResource theftCheating in multiplayer gamesEven with today’s bad guys, though, every attack is not the same. Understanding the motive for it is an important key to solving it. Consider the ‘why’ along with everything else you do. That is the best way to determine what type of target your networks present. It might also offer clues on how to defeat your opponent.Related reading:What hackers do: their motivations and their malware.From phish to network compromise in two hours: How Carbanak operatesCybercrime groups raise the bar for security teams by borrowing APT techniques2. Types of malwareThere are three major types of malware: computer virus, trojan horse, and worm. Any malware program is an amalgam of one or more of these classifications.A computer virus is a malware program that hosts itself inside of other programs, files, and in digital storage to replicate. A trojan horse is a malware program claiming to be something legitimate to trick humans into setting it in motion. A trojan horse does not self-replicate; it relies on the curiosity of humans to help it spread. A worm is a self-replicating program that uses code to spread itself. It does not need other host programs or files.It’s important to understand these basic categories of malware so that when you do find a malware program, you can parse together the most likely scenario about how it got into your systems. This will help you understand where to look for the malware’s origination and understand where it will likely spread further.Related reading: 9 types of malware and how to recognize themFamous malware threats: Where are they now?6 ways malware can bypass endpoint protection3. Root cause exploitsEach year IT security professionals face thousands of new software vulnerabilities and millions of unique malware programs, yet only twelve different root cause exploits allow each of those into someone’s environment. Stop the root cause exploits and you’ll stop hacking and malware. Here are the ten types of root exploits:Programming bugSocial engineeringAuthentication attackHuman errorMisconfigurationEavesdropping/man in the middle (MitM)Data/Network traffic malformationInsider attackThird-party reliance issuePhysical attackNone of this should be unfamiliar. But that doesn’t mean it’s easy.Related reading:Known vulnerabilities pose biggest IT security threatsFive social engineering tricks and tactics employees still fall forWhat is an insider threat? 7 warning signs to watch for4. Cryptography and data protectionDigital cryptography is the art of making information secure against unauthorized access and modification. Every IT security professional should learn the basics of cryptography, including asymmetric encryption, symmetric encryption, hashing, and key distribution and protection. Data protection requires a lot of cryptography. Complete data protection also demands that the data be lawfully collected and used, that you guard its privacy against unauthorized access, and that you back it up securely to prevent malicious modification and to ensure availability. Data protection is becoming increasingly required by law. (The Geek Stuff has a great tutorial on cryptography basics.)While you’re at it, make sure you keep up on the progress of quantum computers and their ability to crack modern day public key crypto. There’s a chance that in the next 10 years or less that you’ll be forced to move all the public key crypto you are used to (e.g. RSA, Diffie-Hellman, etc.) to cryptography known as post-quantum ciphers. The whole world is readying for the move, including the United States’ National Institute of Standards and Technology. Don’t be caught unaware of the coming drastic changes.Related reading:How quantum computers will destroy and (maybe) save cryptographyHow MIT’s Fiat Cryptography might make the web more secureAre you crypto-agile?5. Networking and network packet analysisYou will be able to recognize the truly great IT security professionals on your team because they understand networks at the packet level. They are facile with network basics such as protocols, port numbers, network addresses, layers of the OSI model, the difference between a router and a switch, and are able to read and understand what all the various fields of a network packet are used for.To understand network packet analysis is to truly understand networks and the computers that use them. Geeksforgeeks has a quick tutorial on network basics and Vice has a quick beginning course on network packet analysis.Related reading:Network traffic analysis tools must include these 6 capabilitiesReview: Corelight adds security clues to network packet analysisWhat is Wireshark? What this essential troubleshooting tool does and how to use it6. Basic common defensesAlmost every computer has common basic defenses, which good IT pros consider and apply. These are the “standards” of computer security. They include:Patch managementEnd-user trainingFirewallsAntivirusSecure configurationsEncryption/cryptographyAuthenticationIntrusion detectionLoggingUnderstanding and using the basic common IT security defenses is a must for every IT security professional. But don’t stop at simply knowing about them. Know, too, what they are good at stopping and what they fail to do.Related reading:The three most important ways to defend against security threats10 topics every security training program should cover6 steps for a solid patch management process7. Authentication basicsThe best security professionals understand that authentication is more than the process of putting in a valid password or satisfying a two-factor ID test. It’s much more involved than that. Authentication begins with the process of providing a unique, valid identity label for any namespace – such as the email address, user principal name, or logon name.Authentication is the process of providing one or more “secrets” that are only known by the valid identity holder and his authentication database/service. When the valid identity holder types in the correct authentication factor(s), this proves that the authenticated user is the valid owner of the identity. Then, after any successful authentication, the subject’s attempted accesses to protected resources is examined by a security manager process known as authorization. All logon and access attempts should be documented to a log file.Like everything else in security, authentication is evolving. One of the newer concepts, and one that I believe is among the most likely to take hold, is continuous user authentication, in which everything a logged in user does is constantly re-evaluated against a established pattern.Related reading:What is the future of authentication? Hint: It’s not passwords, passphrases or MFAHow to evaluate web authentication methodsWhat is two-factor authentication (2FA)? How to enable it and why you should8. Mobile threatsThere are now more mobile devices than people on the planet and most people get most of their information through a mobile device. Because humankind’s mobile prowess is only likely to increase, IT security professionals need to take mobile devices, mobile threats, and mobile security seriously. The top mobile threats include:Mobile malwarePrivacy invasion/theftRansomwarePhishing attacksSpywareData or credential theftPicture theftUnsecured wirelessThere isn’t usually much difference between mobile threats and computer threats, but there are some differences. And it is a great IT pro’s job to know what those are.Related reading:7 mobile security threats you should take seriously in 2019One in three organizations suffered data breaches due to mobile devicesBest Android security app? Why you’re asking the wrong question9. Cloud securityPop quiz: What four factors make cloud security more complex than traditional networks?Every IT pro should be able to easily pass this test.The answer is:Lack of controlAlways available on the internetMultitenancy (shared services/servers)Virtualization/containerization/microservicesThe joke is (and isn’t) that cloud really means “other people’s computers” and all the risk that entails. Traditional corporate administrators no longer control the servers, services, and infrastructure used to store sensitive data and service users. You have to trust that the cloud vendor’s security team is doing its job. Cloud infrastructures are almost always multitenant architectures, where keeping different customers’ data separate can be complicated by virtualization and the recent containerization and development of microservices. Heralded by some as a way to help make security easier to do, each development usually makes the infrastructure more complex. And complexity and security do not usually go hand-in-hand.Related reading:The dirty dozen: 12 top cloud security threatsTop cloud security controls you should be usingHow do you secure the cloud? New data points a way10. Event loggingYear after year, the research shows that the most missed security events were right there in the log files all along, just waiting to be discovered. All you have to do is look. A good event-log system is worth its weight in gold. And a good IT pro knows how to set one up and when to consult it.Here are the basic steps of event logging, which every IT security professional should know:PolicyConfigurationEvent log collectionNormalizationIndexingStorageCorrelationBaseliningAlertingReportingRelated reading:Why you need centralized logging and event log managementDetect the undetectable: Start with event logsEvent log management made easy11. Incident responseEventually every IT environment suffers a failure of its defenses. Somehow, a hacker or their malware creation makes it through. Havoc, naturally, ensues. A good IT pro is ready for this with an incident response plan, which should be put into action immediately. A good incident response is essential. It can be the difference between an event that ruins your day and one that ends up in the media and tarnishes the character of your company. The basics of incident response include:Respond effectively and in a timely fashionLimit damageConduct forensic analysisIdentification of the threatCommunicationLimit future damageAcknowledge lessons learnedRelated reading:6 steps for building a robust incident response planWhat it takes to be a security incident responderTwo incident response phases most organizations get wrong12. Threat education and communicationMost threats are well known and re-occur frequently. Every stakeholder from end users to senior management and the board of directors needs to know the current top threats against your company and what you are doing to stop them. Some of the threats you face, like social engineering, can only be stopped by educating the people in your company. So the ability to communicate is often the thing that separates a great IT pro from a mediocre one.No matter what technical controls you deploy, every year something will make it past them. So, make sure your stakeholders are prepared. At the very least, the following items should be covered in your education program:The most likely, significant, threats and risks against the organizationAcceptable useSecurity policyHow to authenticate and what to avoidData protectionSocial engineering awarenessHow and when to report suspicious security incidentsRelated reading:4 steps to launch a security awareness training program12 tips for effectively presenting cybersecurity to the board5 reasons to take a fresh look at your security policy Related content news Is China waging a cyber war with Taiwan? Nation-state hacking groups based in China have sharply ramped up cyberattacks against Taiwan this year, according to multiple reports. By Gagandeep Kaur Dec 01, 2023 4 mins Cyberattacks Government news Apple patches info-stealing, zero day bugs in iPads and Macs The vulnerabilities that can allow the leaking of sensitive information and enable arbitrary code execution have had exploitations in the wild. By Shweta Sharma Dec 01, 2023 3 mins Zero-day vulnerability feature The CSO guide to top security conferences Tracking postponements, cancellations, and conferences gone virtual — CSO Online’s calendar of upcoming security conferences makes it easy to find the events that matter the most to you. By CSO Staff Dec 01, 2023 6 mins Technology Industry IT Skills Events news Conti-linked ransomware takes in $107 million in ransoms: Report A ransomware campaign linked to the ostensibly defunct Conti malware group has targeted mostly US businesses, in a costly series of attacks. By Jon Gold Nov 30, 2023 4 mins Ransomware Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe