The Right Cybersecurity Training
Teach your team to make decisions that help prevent and detect data breaches
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Note: 2nd Sight Lab doesn’t offer training anymore. We recommend getting a penetration test from us and then we’ll show your staff what problems exist and how to fix them from a more holistic and architectural perspective than most penetration test companies. Learning through experience is sometimes more impactful. It’s how many security researchers got their start in cybersecurity.
💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Think for a minute about how companies make cybersecurity decisions that ultimately lead to a data breach — or not. Leaders need to understand the big picture and have accurate information to make effective decisions at a macro level. They need to be able to communicate cyber-directives to staff. Then they need to be able to count on the people below them to make the right individual decisions that align with stated business objectives and organizational risk posture. It only takes one mistake to facilitate the next cyber breach. How can leaders mitigate this risk when it is dependent on so many individual decisions and so many data points?
Based on the rise in data breaches, having the security teams making recommendations and telling people what they did wrong after the fact isn’t working. The shift in authority to make security-related decisions from people with years of experience in security, networking and IT systems management to people with no such training or experience as companies move to the cloud is only making it worse. 2019 is on track to be the worst year to date for cyber breaches according to some reports with over 4.1 Billion records exposed in the first half of the year. Many of these breaches were the result of simple misconfigurations.
How can we turn this statistic around? Don’t blame the CISO.
First, we need to understand who is responsible for the decisions that are causing these breaches. Is it the security team? In almost every case, no.
Most of these massive data breaches are the result of misconfigurations implemented by teams outside the security department. It is highly likely that the security team had no input or visibility into the action that led to the breach. When it comes to SAAS (Security-As-A-Service) cloud solutions, often a business unit signs up for the application and the security team finds out after the fact. In other cases, the security team assesses the SAAS application before signing a contract but then have no visibility into how the applications are implemented and maintained after that point. Sometimes executive leadership approves application architectures with significant security flaws against cybersecurity recommendations and best practices. Everyone involved in making security-related decisions is in part, responsible for any data breach resulting from those judgment calls.
Secondly, we need to understand that most people are not doing this intentionally. Generally, people in an organization do not want to be responsible for the next massive data breach on the front page of the news. The problem is that the people making the day to day decisions that increase the risk of a data breach have not had the type of security training they need to understand when and how their actions may lead to a security incident. They may also be facing pressures within the organization from managers and executives within the organization who want them to hurry up and get things done. Organizational pressures or duties sometimes override best practices even when the person is aware of the risk.
For these reasons, every level of the organization requires training to improve cybersecurity decision-making and actions across the board. When developers understand security, they implement secure solutions from the start. When management understands cybersecurity and the potential cost of a mistake, they are less apt to pressure teams to build for blatantly insecure systems. The training needs to be impactful and focused on the right information that makes a difference when it comes to stopping breaches. Watching security awareness videos is not enough.
Most breaches are the result of fundamental security flaws. These are not complex decisions. Attackers are exploiting very simple misconfigurations, not leveraging zero-day malware, in the majority of breaches. Knowing cybersecurity fundamentals helps decision-makers when it comes to making decisions about system implementation. Additionally, by understanding what causes breaches, decision-makers can implement better monitoring, metrics, and alerting to help spot and mitigate cybersecurity risks. Many security breaches could be uncovered more quickly if those responsible for implementing and monitoring systems understand how to spot the movements and actions of attackers and implement systems in ways that improve visibility of these actions.
The training your cyber defenders need
What is one of the first thing that happens when someone joins the military? They don’t go into battle. They go through basic training. Everyone in the military learns the necessary skills to be a good soldier. Every individual in the military needs to do their part in the face of an attack. Individual soldiers take orders, but also, every individual needs to have the appropriate skills and know what to do to have a capable military that can win battles. People who have shared similar training experiences will help reinforce collective knowledge and skills. Organizations need to do more than say cybersecurity is a priority. They need to train people so that the people in the organization know what to do and why it matters when it comes to implementing security controls and monitoring.
Anyone who makes decisions that impact system configuration and implementation is part of your cyber army. These are the people who are making the decisions that keep systems secure or change systems in ways that increase attack vectors and create vulnerabilities. These are the people writing code, designing the architecture, and approving system changes that end up in your production environment. These are the people who decide what to monitor, not monitor, and what to do when they get an alert or see something abnormal in your system logs. Although you can buy cybersecurity products that include AI and machine learning to help you spot cybersecurity problems within your organization, at the end of the day someone needs to monitor these systems and they require the capability to decipher the logs and take appropriate actions.
What do executives need to know?
Business people say security people need to understand the business objectives for the company to make money. Security teams do need to learn to say “How” instead of “No,” but this isn’t the biggest issue in my opinion. I’ve worked at all levels of companies and in startup to Fortune 150 to running my own software consulting and web application hosting company. Business objectives almost always trump security in my experience. I feel that the more significant gap is executives who don’t understand the impact of their decisions on cybersecurity risk. The breach statistics I just shared indicate that somewhere, a breakdown in decision-making exists. Analysis of recent breaches indicates that the decisions were a blatant disregard or misunderstanding of best practices, not well-intentioned analysis gone wrong.
In most cases, the executives did not have the most basic security training to understand why and how their actions were contributing to a more significant potential for a data breach — or they were facing organizational pressures from above that led them to choose unwisely. Sometimes, middle-level executives receive pressure from top-level executives to approve projects. This leads to less than ideal security decisions at times. Overall, businesses don’t have a sufficient way to measure cybersecurity risk, and this stems, in part, from systems not designed to report it effectively. Building systems that report accurate cybersecurity metrics costs time and money, but it is a pay-now-or-pay later scenario. An investment in systems that help report accurate cybersecurity statistics helps companies prevent breaches and respond to threats more quickly.
Trying to explain cybersecurity to executives in five minutes when the pressure is on to get a project done is not the best approach. Provide time dedicated to understanding how breaches happen and what executives can do to make better decisions — before the project is on the brink of going over budget and failing to meet a deadline due to cybersecurity risk. Training everyone within the organization to make better security decisions from the ground up leads to fewer escalations and conflicts between developers, project and product managers, and security teams. More importantly, it helps prevent data breaches at the point where vulnerabilities infiltrate systems, and people make crucial decisions.
What do developers need to know?
Often a developer is focusing on making something work, not system security. A developer is thinking, “I put an asterisk (*) in my CORS configuration, and I stopped getting that pesky error message. Cool.” rather than “Hmm, I wonder why that CORS configuration is there and what it’s supposed to do.” Hint: A CORS (Cross-Origin Resource Sharing) configuration is designed to protect websites from attacks facilitated by third-party content that attempts to steal cookies and cause users to take unwanted actions without their knowledge. I have run across misconfigured CORS policies in many penetration tests because people didn’t understand what it was or why it even exists. A team I managed implemented this very “fix,” which I hope they have reconfigured by now. (I left that team before getting that issue resolved.)
When it comes to secure implementations, many developers try to do the right thing, but sometimes you don’t know what you don’t know. For example, developers may implement encryption but do not understand how implementation choices in modes, algorithms, configuration, and architectural decisions may render that encryption useless. Many people making cybersecurity-related decisions don’t understand how breaches happen, who the threat actors are, how malware works, the cyber kill chain, threat modeling, incident handling, or why we have specific traditional security architectures. They don’t know that how they create and manage logs and build systems may facilitate a breach or exponentially increase the cost when one occurs. With some cloud implementations, security teams have no visibility into the logs. The business and development teams responsible for maintaining those systems are focused on building and leveraging data, not threat hunting, security monitoring, or incident handling.
Some developers and people managing software systems still have never heard of OWASP (the Open Web Application Security Project). Some know it in name only. Also, some people think the only thing developers need to know is the OWASP top 10. However, many developers are responsible for IAM (identity and access management) and networking in cloud environments. They also need to understand how breaches occur to create secure architectures. Developers, DevOps teams, and unfortunately some software architects are frequently at odds with security teams over architectural decisions that lead to data breaches because they don’t understand why the security team wants them to make the requested changes. Developers need basic security training to understand not just individual security flaws, but an overall discussion of risk, top threats, how breaches occur, how malware works, threat modeling, security architecture, and how to think about security.
What does the security team need to know?
Many companies have a security team — in some cases, an elite security team that has in-depth cybersecurity knowledge. This team understands how attackers are going to get into your system. They understand why and how systems need to be locked down to reduce your attack surface and attack vector. Often they are overworked, understaffed, and facing constant pressure from the rest of the organization to lighten up on their security restrictions.
Many security teams still believe that use of cloud systems is inherently flawed because someone else not within their organization might be able to see their data. The cloud does bring about new security concerns, but along with it new opportunities to automate governance, incident handling, and response. As I wrote about previously, the Ponemon Institute reports that automation can reduce the average cost of a data breach. For some organizations, a cloud environment may ultimately be more secure than what they are doing internally — but this depends on the proper vetting of the cloud provider and secure configuration of cloud services by the customer.
In this brave new world of cloud, security teams need to understand that some cloud platforms offer benefits that can enhance the security of their organization by providing a fully automated platform where almost every action is possible via software. Leveraging this automation capability can help companies respond faster to security threats. These same cloud platforms offer almost unlimited storage for security log and fine-grained controls that can help implement zero-trust security models easier than you can with traditional on-premises technologies. Security teams can write code or work with their developers to implement self-defending systems and automated incident handling and response.
Security teams need the training to understand new types of services, configurations, compute resources, and logs in cloud systems to be able to monitor them effectively. They need to understand how to evaluate all types of solutions — including SAAS providers — to determine if the solution increases risk or reduce the liability an organization may have in the case of a data breach. Finally, security teams need to understand how their development teams are leveraging automation to deploy systems faster via DevOps and GitOps and how to into that pipeline to get preventative security checks in place earlier in the development lifecycle.
As already mentioned, security teams need to understand and support business objectives. Sometimes security teams are focused on doing things the ways they have always been done. When Jeff Bezos started a company to sell books online, everyone said the banks would never approve online transactions due to the risk. E-commerce gave rise to SSL, now TLS. When someone told me packet capture in the cloud was not possible, I wrote a white paper showing how it was. Now AWS offers something called VPC Traffic Mirroring.
With developers and security professionals working together to solve security problems in more automated ways we can do more to improve security and reduce data breaches. However, developers do not have the deep knowledge of security professionals and need their help to produce solutions devoid of security flaws that security people know based on years of experience. Security teams need to learn more about how developers work, what they are doing, and enlist their help to come up with new and better security solutions, especially in cloud environments.
What should your cybersecurity training cover?
Many different types of cybersecurity training exist. I am aware of these different options because I’ve taken classes in all the areas mentioned below and obtained related certifications. I also study data breaches and what causes them. You’ll want to focus your training dollars on classes that develop an understanding of security that leads to better security decisions at the point of system implementation, monitoring, and incident response. You also may need people with very specific skillsets for different job functions. Here are some types of training that are available and how they can help your team:
Bootcamp and broad-based security classes: These type of classes give broad, high-level knowledge of many different security topics. They explain security threats and risk and how to deal with them at a more general level. These classes may cover risks and an introduction to many different security topics.
Security Awareness: Most companies offer security awareness training that teaches people how to spot phishing attacks and fake SSL/TLS certificates. These programs are not designed for system implementation and serve a different purpose. They educate end-users of applications to be aware of and watch out for security threats.
Application Security: Some security training focuses on application security. These classes may be a class targeted at teaching the OWASP top 10 or how to secure applications written in a specific software language. These classes have a very narrow and deep focus. They generally do not cover other fundamental cybersecurity concepts mentioned here and focus specifically on software development mistakes and writing secure application level code.
Penetration testing: Learning how to attack systems is fun. However, a lot of penetration testing and CTF (capture the flag) contests teach skills in a piecemeal manner that shows different types of attacks rather than how to protect systems holistically. These type of classes are suitable for individuals who want to work as penetration testers. Classes may involve pentesting websites, applications, cloud environments, network equipment, exploit writing, and fuzzing.
Intrusion detection and monitoring: Some classes focus on intrusion detection and monitoring — what do you need to look for in the logs to spot a security incident? How do you decipher network packets and packet headers? How should you configure and set up your SIEM, IDS, IPS, and other log analysis tools? These classes may teach students how to correlate different logs to piece together the timeline of an attack and determine how it occurred.
Incident response: Learn the process for dealing with a cybersecurity incident. When an incident occurs, incident handlers capture data in a manner consistent with what legal teams and law enforcement require. Typically this involves capturing data off infected disks and from memory, as well as other logs in a way that is admissible in court. Then the IR team needs to investigate the logs, memory, and data on disks (sometimes retrieving deleted files) to determine what happened and restore systems. This class will also involve correlating events and determining timeline and cause of attacks.
Infrastructure and operating system security: These classes cover how to configure infrastructure such as networking and operating systems. Different operating systems have different settings and options that infrastructure and DevOps teams need to set up securely. Network devices, load balancers, and storage all need to be implemented with security in mind. These classes may cover managing enterprise environments, update processes, password management, and related topics.
Reverse-engineering malware: Some classes cover reverse engineering malware, including website code, network behavior, bytecode, and assembly language. Students may learn how to analyze infected Word, PDF, and other documents with specialized tools. Students learn to use disassemblers, decompilers, hex editors, and debuggers to analyze other types of malware. This class is most appropriate for someone who wants to work at companies that sell products that help companies defend against malware.
Auditing and Compliance: Some classes cover topics like auditing and compliance. These classes teach people how to perform those specific jobs and help companies stay in line with regulations that apply to their industry. Auditing classes focus on specific skills required by auditors that follow industry-standard auditing practices to assess whether companies meet industry regulations or follow best practices.
Security Architecture: This type of class will bring together the individual aspects of security and apply them holistically to a system or enterprise. A secure architecture will reduce attack vectors and attack surface. It will include sufficient logging in a manner that identifies security incidents quickly and provides appropriate logs in the case of a security incident. Security architecture considers cost, performance, compliance, deployments, disaster recovery, and business continuity, among other things. Defense in depth creates architectures that are more difficult to infiltrate and exfiltrate. Security Architecture focuses on closing gaps and mitigating the risks in your environment that may lead to a breach, hopefully in an automated, metric-driven fashion.
Red Team / Blue Team: Some classes include aspects of both attack (penetration testing) and defense methodologies so people can understand both sides — how the attackers are getting in and how to defend against those attacks.
Specialized classes: Some classes focus on a particular industry or solution, such as my cloud security class which covers top cloud computing security concerns, architectures, and services. It also covers security fundamentals and most of the topics above at a high-level, but in the context of how they apply in a cloud environment. Other specialized classes cover virtualization, industrial control systems, or other vendor or industry-specific information.
Which class is right for you and your team?
The class that is right for you and your team depends on your objectives and what problem you are trying to solve. You may need to send different people to different types of classes. People may need a broad understanding of security, or very specialized knowledge to perform a specific function within your organization. Sending a team to training together that spans different job functions within the organization can promote cooperation, communication, and teamwork. Hopefully, the above summary helps you pick a class that helps improve the security knowledge overall within your organization, thereby informing better decisions that prevent more data breaches.
Follow for updates.
Teri Radichel | © 2nd Sight Lab 2019
About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight LabNeed Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for PresentationFollow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab
