•The Practice of Cybersecurity
•Threats and Threat Actors
•The CIA Triad
•Security Principles, Controls and Strategies
•Cybersecurity Laws, Regulations, Standards, and Frameworks
•Career Opportunities in Cybersecurity
This Module is designed to provide learners, regardless of current proficiency or experience, a solid understanding of the fundamental principles of cybersecurity. It is intended for a wide range of individuals, from employees working adjacent to information technology or managing technical teams, to learners just getting started in the highly-dynamic information security field. Completing this Module will help learners build a useful base of knowledge for progressing onto more technical, hands-on Modules. An in-depth analysis of each concept is outside the scope of this Module. To learn more about the concepts introduced here, learners are encouraged to progress through the 100-level content in the OffSec Learning Library. Throughout this Module, we’ll examine some recent examples of cyber attacks and analyze their impact as well as potential prevention or mitigation steps. We’ll also supply various articles, references, and resources for future exploration in the footnotes sections. Please review these footnotes for additional context and clarity.
The Practice of Cybersecurity
This Learning Unit covers the following Learning Objectives:
•Recognize the challenges unique to information security
•Understand how “offensive” and “defensive” security reflect each other
•Begin to build a mental model of useful mindsets applicable to information security
Challenges in Cybersecurity
Cybersecurity has emerged as a unique discipline and is not a sub-field or niche area of software engineering or system administration. There are a few distinct characteristics of cybersecurity that distinguish it from other technical fields. First, security involves malicious and intelligent actors (i.e. opponents). The problem of dealing with an intelligent opponent requires a different approach, discipline, and mindset compared to facing a naturally-occurring or accidental problem. Whether we are
simulating an attack or defending against one, we will need to consider the perspective and potential actions of our opponent, and try to anticipate what they might do. Because our opponents are human beings with agency, they can reason, predict, judge, analyze, conjecture, and deliberate.
They can also feel emotions like happiness, sorrow, greed, fear, triumph, and guilt. Both attackers and defenders can leverage the emotions of their human opponents. For example, an attacker might rely on embarrassment when they hold a computer system hostage and threaten to publish its data. Defenders, meanwhile, might leverage fear to dissuade attackers from entering their networks. This reality means human beings are a critical component of cybersecurity. Another important aspect of security is that it usually involves reasoning under uncertainty. Although we have plenty of deductive skills, we are by no means mentally omniscient. We cannot determine everything that follows from a given truth, and we cannot know or remember an infinite number of facts. Consider how a game like chess is different from a game like poker. In chess, you know everything that your opponent does about the game state (and vice versa). You may not know what they are thinking, but you can make predictions about their next move based on the exact same information that they are using to determine it. Playing poker, however, you do not have all of the information that your opponent possesses, so you must make predictions based on incomplete data.
When considering the mental perspectives of attackers and defenders, information security is a lot closer to poker than chess. For example, when we simulate an attack, we will never know everything there is to know about the machine/system/network/organization we are targeting. We therefore must make assumptions and estimate probabilities - sometimes implicitly and sometimes explicitly. Conversely, as the defender, we will not be aware of every potential attack vector or vulnerability we might be exposed to. We therefore need to hedge our bets and make sure that our attack surfaces that are most likely to be vulnerable are adequately protected. The problem of the intelligent adversary and the problem of uncertainty both suggest that understanding cybersecurity necessitates learning more about how we think as human agents, and how to solve problems.