Christina Morillo - 97 Things Every Information Security Professional Should Know: Collective Wisdom from the Experts

by Christina Morillo

Copyright 2021 OReilly Media, Inc. All rights reserved.

Printed in the United States of America.

Published by OReilly Media, Inc. , 1005 Gravenstein Highway North, Sebastopol, CA 95472.

OReilly books may be purchased for educational, business, or sales promotional use. Online editions are also available for most titles (http://oreilly.com). For more information, contact our corporate/institutional sales department: 800-998-9938 or corporate@oreilly.com .

• Acquisitions Editor: Mary Preap
• Development Editor: Angela Rufino
• Production Editor: Caitlin Ghegan
• Copyeditor: Charles Roumeliotis
• Proofreader: nSight Editorial Services
• Indexer: nSight Editorial Services
• Interior Designer: David Futato
• Cover Designer: Karen Montgomery
• Illustrator: Kate Dullea

• September 2021: First Edition

See http://oreilly.com/catalog/errata.csp?isbn=9781098101398 for release details.

The OReilly logo is a registered trademark of OReilly Media, Inc. 97 Things Every Information Security Professional Should Know, the cover image, and related trade dress are trademarks of OReilly Media, Inc.

The views expressed in this work are those of the authors, and do not represent the publishers views. While the publisher and the authors have used good faith efforts to ensure that the information and instructions contained in this work are accurate, the publisher and the authors disclaim all responsibility for errors or omissions, including without limitation responsibility for damages resulting from the use of or reliance on this work. Use of the information and instructions contained in this work is at your own risk. If any code samples or other technology this work contains or describes is subject to open source licenses or the intellectual property rights of others, it is your responsibility to ensure that your use thereof complies with such licenses and/or rights.

978-1-098-10139-8

[LSI]

An information security professional or InfoSec Pro is responsible for protecting IT infrastructure including but not limited to devices, networks, software, and applications. InfoSec Pros are trained to find exploitable weaknesses and fix any potential issues to mitigate and minimize the risk of an attack.

However, the information security field is vast, and navigating a career as someone new or looking to explore other opportunities in the space can feel daunting and uncertain. From understanding enterprise operations, security engineering, and the cloud, to learning how to navigate the number of situations or blockersthese are some of the things you will encounter throughout your career in this industry.

When I was approached to create this book, I envisioned a guide full of practical and actionable advice to better help practitioners navigate the space. Whether you are curious and entry-level or have decades of experience, this book intends to help guide you through your journey by providing practical and technical knowledge you can put into practice starting today. It contains a collection of articles from a global set of information security practitioners, and provides readers with the best practices on solving shared security issues, valuable advice for navigating careers within this industry, and tools needed to solve everyday problems.

We hope that this book will help you better understand and put to practice:

• How to get started, whether you are new to the space or want to pivot into a different path within Information Security.
• How to assess an organizations security posture, and build and scale an Information Security team and program.
• How to understand and implement security and risk management controls.
• How to effectively communicate the importance of Information Security to C-level executives and more.

This book was born, written, and edited during in 2020-2021, during a global pandemic. I am deeply grateful to everyone who contributed during a very challenging time. I would personally like to thank each contributing author for sharing their expertise, wisdom, and time. I also want to thank everyone at OReilly for making this possible.

My goal is that the articles in this book help you in your career day to day and continue to inspire you to ask questions, challenge assumptions, remain curious, and navigate the journey with ease and grace.

I hope you enjoy it!

OReilly Online Learning

Note

For more than 40 years, OReilly Media has provided technology and business training, knowledge, and insight to help companies succeed.

Our unique network of experts and innovators share their knowledge and expertise through books, articles, and our online learning platform. OReillys online learning platform gives you on-demand access to live training courses, in-depth learning paths, interactive coding environments, and a vast collection of text and video from OReilly and 200+ other publishers. For more information, visit http://oreilly.com.

How to Contact Us

Please address comments and questions concerning this book to the publisher :

• OReilly Media, Inc.
• 1005 Gravenstein Highway North
• Sebastopol, CA 95472
• 800-998-9938 (in the United States or Canada)
• 707-829-0515 (international or local)
• 707-829-0104 (fax)

We have a web page for this book, where we list errata, examples, and any additional information. You can access this page at https://oreil.ly/97ThingsInfoSecPro.

Email to comment or ask technical questions about this book.

For news and information about our books and courses, visit http://oreilly.com.

Find us on Facebook: http://facebook.com/oreilly

Follow us on Twitter: http://twitter.com/oreillymedia

Watch us on YouTube: http://youtube.com/oreillymedia

Chapter 1. Continuously Learn to Protect Tomorrows Technology

Alyssa Columbus

The exponentially increasing volume and variety of data being generated today is proving to be an unequivocal target for cyberattackers who see great value in destabilizing enterprise and national ecosystems to create political chaos and drive financial gain.

The SolarWinds hack successfully penetrated the executable files of a leading network monitoring system and is a stark example of the future of cyberattacks. To thwart future attacks at this level of sophistication, change management and ongoing education are needed at a professional level. Personal responsibility and ownership of staying current in information security on the latest vulnerabilities and exposures and with the latest technologies arent optional anymore. Whats needed is a framework for continual self-improvement. I have provided the foundations of a framework that has worked for me here:

Learn with a community.Ive personally found that Ive developed new and existing skills much faster (by a magnitude of months) when Ive joined a community of learners than when I was trying to learn the same skills alone. By attending local and online user groups, conferences, and other events, you can discover new concepts, hone new skills, and network with possible future colleagues. Also, in a community, you will gain a more holistic perspective of information security and a more complete picture of how others are managing successful information security programs.Learn the fundamentals of effective communication.Although an emphasis is often placed on learning the technical skills necessary to succeed in information security, you also need to bring a similar level of intensity to improving your communication skills. Understanding how to secure a network or be in compliance with a privacy regulation is just as important as understanding how to communicate reports on these technical responsibilities to diverse audiences. Information security is a shared responsibility among every member of an organization, so the real impact of an information security professionals work depends on how well other people can understand their reports and make informed decisions to improve their security program.Learn concepts hands-on, as its the best way to grow and progress your information security skills.Participating in a CTF (capture the flag) or completing a basic project (e.g., securing a WiFi router) for a relative or friend and writing about your experience is often much better than only reading through abstract concepts in textbooks or certification exam study guides. Your experience using real-world tools is just as necessary as your experience studying for academic credentials and certifications, as it translates theoretical ideas into practical outcomes.Learn how to ask the right questions.By far, the most challenging aspect of any profession to learn is the intuition for what questions there are to ask and which questions you should ask. The more experience you have and the more you engage your intellectual curiosity, the easier it will be to ask the right questions. Developing information security literacy, or knowing how to find the answers to these questions, can be achieved through risk assessment and mitigation education and practice.