Five Key Cybersecurity Skills
In part one, we explained why it’s better to grow your own cybersecurity experts than shop on the open market. If CISOs can find people who are inspired by security, and who are willing and humble enough to go the distance, they should hold on to them—these are the people to nurture. In this part, we have broken down the foundational cybersecurity skills and knowledge for newcomers or aspiring security practitioners. These skills may not be enough to get you up to full speed, but they represent a broad and enduring platform that will provide the context to gain and apply more specific skills. If we’re honest, plenty of people already working in the field could stand to brush up on some of these concepts too. The lifelong learning part applies to everyone, and the basics are as important as the cutting edge.
Key Cybersecurity Skill: Stay Current on Predominant Attack Methods
Except for state-sponsored actors and hacktivists, who are primarily motivated by ideology, most attackers are trying to make money and don’t have time for innovation for its own sake. This is why in any given five-year period, a relatively small number of techniques generate the vast majority of attacks. It is, therefore, absolutely mandatory to know which attacks are prevalent at the moment and how they work.
It’s also important to recognize that all cyber attacks occur in the context of some kind of environment, and that several low-impact issues can be chained together to escalate privileges, pivot, and pull off something big.
How to Learn About Common Cyber Attacks
Start with the attacks themselves: the techniques, preconditions, impacts, and viable targets. As of 2020, the top attack techniques are focused on either apps (such as injection or widespread vulnerabilities) or access credential compromise (via phishing or password guessing/credential stuffing).
There is a huge amount of literature detailing the most prevalent attacks. Start here, but remember the goal for now isn’t to geek out on the details, it is to see the big picture and patterns:
- Review the OWASP Top 10.1
- Run through capture-the-flag (CTF) events.
- Read the Verizon Data Breach Investigation Report.2
- Read the F5 Labs Application Protection Reports (if we do say so ourselves).
- Peruse the Cyentia Cybersecurity Research Library.3
Nearly every aspect of the complex of protocols and services that make the World Wide Web function represent theoretical opportunities for attackers, so it is important to have some awareness of IP networking, DNS, TLS/PKI, and HTTP/REST architecture.
For most attacks, the technology platforms that host data and provide services are the terrain on which the battle is fought. Commonplace systems like Linux and Windows servers, SQL and noSQL databases, SharePoint and other groupware, and increasingly, various cloud and container technologies, are all systems that you should be aware of. A basic understanding of computing architectures and application development practices is important as well.
Key Cybersecurity Skill: Risk Analysis
Understanding technology is not the same as understanding security. As cybersecurity has become more mature, most security programs are now explicitly defined as risk management operations. That means you need to understand the basics of risk management:
- Risk as a product of probability and impact
- The difference between adversarial risk and natural events (attackers change tactics, earthquakes do not)
- The difference between qualitative and quantitative risk assessment methods (including the nuances of cost metrics and Red-Amber-Green heatmaps)
- The value of data-driven decision making
- Confidentiality, Integrity and Availability as the pillars of cybersecurity, and how they manifest in practice
- Dependencies within software, systems, and organizations
- Threat modeling—understanding attacker actions and goals against an asset in context of process
How to Learn Risk Analysis
Risk is fundamental to managing cybersecurity. Taking a risk-based approach sounds obvious, but it still is an elusive concept for many practitioners. We have seen even PhD candidates conflate impact, vulnerability, and risk. To learn this kind of thinking, we suggest that newcomers work through some analyses with real examples from their organization to learn how decisions were made, how controls were selected, and why.
There are many risk assessment frameworks and all have strengths and weaknesses. The important thing early on is not to specialize in one but to be familiar with all of them, because they are never chosen by the newbies anyway. We feel that the FAIR framework is one of the better ones and a great place to start.4
Key Cybersecurity Skill: Risk Management through Controls
Following a risk assessment, the next thing to do is to use controls to mitigate the biggest risks. The most crucial thing here is recognizing early on that there is no such thing as secure or insecure. Instead, this is about exchanging cost for a relative shift in risk exposure. It is all too common to see working professionals geeking out on attacks, developing point defenses that only protect a limited number of assets or against a limited number of threats, and not actually reducing overall risk.
Key Control Categories to Understand
You should begin by familiarizing yourself with the concept of security controls; particularly, the fact that controls can take many forms beyond firewalls or intrusion protection.
Inventory and Visibility
In a security setting, inventory is the process of detailing what you need to protect and what tools you have to do it. It sounds obvious, but it’s one of the most implacable problems in the field. Technical tools like network scanners are useful for this, but inventory also requires human interviews and documentation review. Even with all this effort, it is easy to miss something. Inventory is one of those problems that never really goes away. It will be a constant in your career.
You need to understand the differences in theory and practice between authentication, authorization, and accounting, as well as many of the practical ways that we accomplish these in contemporary systems. The principle of least privilege is a core part of access control as well.
It is important to understand the practical differences between different kinds of security testing. Testing options happen at different stages in the software development life cycle (SDLC), from code to running software. In addition, production testing should include internal and external vulnerability scanning as well as penetration testing. The practicalities of penetration testing such as methodologies, scoping, and expectations, are also important.
Pattern Matching and Signatures
Many controls use pattern matching in some form to automatically detect issues. This runs the gamut from web application firewalls, through web form input filtering, to antivirus. It is valuable to understand how this works. Regular expressions are also something that you should be able to recognize.
Newcomers to security should understand what logs are good for (hint: not just forensics), some common log formats, and good practices around log storage and analysis. We also feel it is important to actually look at logs to get any value from them. It sounds obvious, but lots of shops don’t review logs until something has happened.
Key Cybersecurity Skill: Compliance
Compliance is an entire field of its own. Since it will automatically become more important as you climb the ladder into management and leadership roles, it is only important for newcomers to understand the principles of compliance—the details can come later. The key concept is that the burden of proof is going to be on you. The audited organization has to prove to the auditors that they did what they’re supposed to do. It’s not about showing that a control is in place so much as proving that it has continually been in place throughout the audit period.
How to Learn Compliance
A lot of the mechanics of documenting controls are best learned in practice. We recommend starting with something generic like the NIST Cybersecurity framework. This will let you get a feel for the big picture of how controls are “supposed” to be deployed.5
Key Cybersecurity Skill: Explaining Risk and Compliance in Business Terms
Very few organizations pursue security for its own sake. It is fundamentally a support function, even if it is a critical one. For that reason, you will eventually need to communicate about your work with non-experts. And while IT security professionals should understand areas outside of technology, they should expect everyone else to be ignorant of security. You will need to repeatedly explain and justify IT security concepts to executives, project managers, human resource officers, legal counsel, physical security officers, and law enforcement. Here are some of the business and management aspects of security that are important:
- Express both tactics and objectives in business terms.
- Establish buy-in from department heads before beginning projects.
- Position security as a springboard, not a roadblock.
- Get used to complaints, being written off, and being circumvented. Engage with complaints head-on and find out specific causes for them.
How to Learn Security Communication
The simplest and most effective tool in this aspect of security work is being able to truly listen. Ask questions, pay attention, and learn as much as you can about other parts of the organization. Summarize what you hear back to eliminate misunderstandings. If you can, attend meetings with senior people to learn both how they do it and what the tone of security communication is like at your organization.
When communicating with business stakeholders, the key is to make risk meaningful in their terms, which is almost always money or time (which usually translates to money). Learn to convert events that impact confidentiality, integrity, or availability into rough costs (hint: availability turns a lot more heads than the other two).
Beyond Key Skills: Cybersecurity Career Paths
As soon as you’ve picked up all this (should only take a few days, right?) you can begin to specialize and gain specific skills in one of the many subfields we talked about in part one of the cybersecurity skills gap discussion. Which one you choose will depend on your talents and proclivities, the needs of your organization, and the shape of the industry at the time. In our next article, we will explore the landscape of jobs and roles in the field. Stay tuned!