If you ask the average IT professional working in a business environment what their average day is like, the answer is likely to be: "I fight a lot of fires." These "fires" usually involve ensuring the security of the systems they manage and the integrity of company data. It seems like there's a new vulnerability being discovered or cyberthreat breaking out almost every day, so the firefighter metaphor applies pretty accurately to the daily grind of IT pros like us. Though perhaps a more appropriate metaphor might be that we run around in circles like a chicken whose head has been cut off. (Apologies to any animal rights activists out there, but hey, reality is what it is, not what you want it to be.)
To boost our abilities as professionals so we can fight these fires better, we usually try to keep informed about the latest vulnerabilities discovered and threats detected. Our first warning systems for identifying these can include mailing lists, blog posts, twitter feeds, and various other online firehoses. But there is a danger to spending too much time spotting potential or emerging fires and learning how to put them out. We may be neglecting other less worrisome, but no less important aspects of securing our environment. To use another metaphor, it's like trying to become an expert in valuing the latest modern art without first having a good general knowledge of the entire field including art history, color theory, artistic media, art restoration, sales and marketing, insurance, and so on. In other words, by focusing too much on what is right in front of us, we may miss something important because of gaps in our knowledge.
This is why a recent book from CRC Press, The Cybersecurity Body of Knowledge, can be a big help to IT professionals. This book can help you discover the gaps in your cybersecurity knowledge by providing a solid overview of the whole field of cybersecurity. You will not only learn to identify the fires you need to dowse, but also how to prioritize which fires to fight first, as well as how to fight those fires more efficiently.
The authors are respected academics who have based their treatment on an initiative known as CSEC2017. It is a report developed by a task force that includes the Association for Computing Machinery (ACM), the IEEE Computer Society (IEEE CS), the Association for Information Systems Special Interest Group on Security (AIS SIGSEC), and the International Federation for Information Processing Technical Committee on Information Security Education (IFIP WG 11.8). The report provides guidelines for developing undergraduate degree program curricula in cybersecurity, which the authors have used as the basis for their book.
The Cybersecurity Body of Knowledge divides the field of cybersecurity into eight key knowledge areas: data security, software security, component security, connection security, system security, human security, organizational security and societal security. The book provides an overview of each knowledge area and identifies key concepts and concerns in various sub-areas called knowledge units. For example, data security is broken down into units on cryptography, digital forensics, data integrity/authentication, access control, secure communication protocols, cryptanalysis, data privacy and information storage security. Of course, the coverage of each topic is not exhaustive, as whole books can (and often are) written about such things as digital forensics and cryptography.
The target audience of the book is mainly faculty members who teach cybersecurity, CISOs, and other stakeholders involved in developing cybersecurity policies for organizations and government agencies. However, the book is still extremely valuable for ordinary in-the-trenches IT professionals like us. It can help us quickly identify areas in our cybersecurity knowledge that need further attention, so we can become more rounded and capable in doing our jobs.
The book is easy to read and doesn't assume a great deal of prior knowledge or experience in the field. A good way for an IT pro to read it is to underline or highlight any sentence or paragraph that raises a question in their mind. For example, there is a knowledge unit on data integrity and authentication within the chapter on data security. In that unit, there is a paragraph about multifactor authentication (MFA) that includes:
"While the obvious reason for MFA is that it adds additional layers of security, there is one key point. Each organization is different and, therefore, will have unique needs. The right MFA solution should strike a balance between added security and user convenience, verses a one-size-fits-all solution that may not work for the organization."
While this point may seem almost trivially obvious, it may not surface in your awareness when it is needed — for example when your CEO tells you to create a plan for implementing MFA in your organization. This short passage could raise the question in your mind: "Should every division or department at our organization have the same MFA solution?" Rational thinking like this can be (in the long term) more effective at strengthening and ensuring the cybersecurity in your organization than taking the firefighter's approach of "The boss wants this, so I gotta do it now." The Cybersecurity Body of Knowledge is full of thoughtful discussions of basic cybersecurity concepts and concerns that will help you think strategically about your work — instead of running around like ... you know, headless poultry.