Improving security skillset


I have been looking at ways to improve my knowledge and skills in IT security as i am running into a lot of hacking/phishing attempts on my clients.
I only support small businesses and individuals running their own businesses, typically the market that does not have access to an IT dept, making them less agile in dealing with breaches/hacking attempts.
Can someone suggest some certifications/courses, knowledge bases where i can get more information and skill sets that are RELEVANT to protecting small businesses and individuals. I want to be in position where i can understand the fundamentals and concepts of various hacking methods and react accordingly on behalf of my clients. I already put in place many policies to protect my clients data , but this is an ever evolving arena so i want to remain relevant.
I dont deal with Enterprises so i am not trying to be the next Troy Hunt, that is not my expertise.

Many thanks

DominicIT ConsultantAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPOwnerCommented:
good anti-spam measures and user education is key.  Stress user education.
Andrew LeniartIT Consultant & Freelance JournalistCommented:
Can someone suggest some certifications/courses, knowledge bases where i can get more information and skill sets that are RELEVANT to protecting small businesses and individuals.
Dominic, we have some excellent free resources here at Experts Exchange that you can read. May I suggest you take a look at the following member's Article Contributions, who is an Expert in Security;

I hope that's helpful.

Regards, Andrew
EE Senior Editor
Although you are looking for a list or links, I will give you this:

The very baseline is: the modern OS with default settings is quite secure, most vulnerabilities are induced by admins that turn off patching, turn off firewalls, modify default security settings making them less strict to get things working. In short: it's not the skills that you need, but rather the conscience that all the changes that you make need to be evaluated against security baselines. Don't modify things if you don't feel you perfectly understand the security implications.

For example: people talk about "hacking" or "being hacked". No one is being hacked, by default. Modern routers don't even allow remote access for hackers. It's rather a passive thing, people invite hackers in by being all too foolish, executing downloads from dubious sources, surfing on dubious sites, falling for phishing links and such.

To give you something to work with: look out for baseline security concepts - see if those are met at your company and if not, try to implement those. If you feel a lack of knowledge to implement certain parts, come back and ask, so experts can point you to resources where you can learn.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
SolarWinds® IP Control Bundle (IPCB)

Combines SolarWinds IP Address Manager and User Device Tracker to help detect IP conflicts, quickly identify affected systems, and help your team take near instantaneous action. Help improve visibility and enhance reliability with SolarWinds IP Control Bundle.

JohnBusiness Consultant (Owner)Commented:
Good advice above, and as David notes above, top notch anti spam is vital.  Make very certain your customers have good, rotating, offsite backup systems running. And as noted, train users not to open emails from strangers.

I am running into a lot of hacking/phishing attempts on my clients.

Beyond the normal "knocking on doors" that any half way decent router will stop, what makes you think people are actively trying to get into your customers' networks.
David FavorLinux/LXD/WordPress/Hosting SavantCommented:
Different skillsets are required for different... types of tech...

For example, if most of your clients are running Windows in small offices, this will require a different skillset than protecting high traffic LAMP Stack WordPress sites.

Start by setting up a personal infrastructure which mirrors your client's infrastructure + just fend off attacks... as they will come...

Tip: If you become adept security LAMP Stacks on the net, you'll have a far larger + far more lucrative market, then securing Windows computers at physical locations.
btanExec ConsultantCommented:
Actually the  " a lot of hacking/phishing attempts on my clients. " will never go away especially when business are pushing faster for digitalisation. In fact, to be secure, it is really to separate internet from the internal network - you may think it is paranoid but it helps.

But then there is residual risk still - what are they? In fact, you dont need to be skillful as the experts said and it is an arm race even to be keep up with new threat and scheme behind the scene. If you think about it, those hackers, script kiddies and sophisticated adversaries have one thing (or one target) in common - it is human laziness and oversight by human.

Security is a process and not a product. Getting best breed does not necessarily means secure. Same goes for compliance.
Security is a shared responsibility. Not the company, not the team but your user who need to be more mindful and savvy.

I am not preaching here but these simple statements are still not appreciated and internalised hence security incident and breach remain to exist. I am thinking and suggesting, maybe the best way for you since you are already having policies in place, to go more proactive - secure the "human" first.

Run phishing campaign, throw some "infected" USB in the premise, try dumpster diving and move around the users cubicle if you have access too them - these are low hanging fruit to get a sense of the "bad habit" out to the management. Bad result can stir discomfort and that is where you can get more traction on security activities ongoing.

Social engineering is one area that we need to be savvy and beware of as that is what the adversary is (really) good at - they entice the user to do wrong things and willingly. E.g. Click as instructed when not supposed to, Double click to open file when they know they should not have done so for unsolicited email etc ...

Getting yourself trained is good but ultimately your users are still same state - not care on the basic security hygiene. Seminar and security briefing does not help much if the bad habits does not kick away. In short, hit their management, show them the Security Audit findings, proof a need to seriously continue the campaign efforts and not once off. These may be non trivial and if possible seek independent party to do it and report .
DominicIT ConsultantAuthor Commented:
Hi Everyone - these are all valid statements and thanks so far. As a last point, does anyone have any recommendations on sites which offer news and updates in the cybersecurity field. I am subscribed to a few newsletters but would be interested to have more.
btanExec ConsultantCommented:
Thought this EE has a good compilation of useful links

And especially this comprehensive 50 compilation which you probably have similar already.

You would want to subscribe to the US CERT feeds or your own local cybersecurity authority's feeds too..

Just don't get overwhelmed and become feeds fatigue. Aim and shoot but sometimes it is good to just shoot and then aim. The hands-on exposure will enrich you.
Although no english version exists, you might want to look at what browser translation features make of - they have many topics per day and those are easy to follow.
Can someone suggest some certifications/courses, knowledge bases where i can get more information and skill sets that are RELEVANT to protecting small businesses and individuals.
I've watched people in the small business world try to say this all the time. The irony is that a lot of the same things that can happen to enterprises can and do happen to small businesses and individuals. You'd still want to take many of the same classes. It's amazing how surprised small businesses are when they hear about many things out there. And I speak as someone who has worked for enterprises, small business, and government alike. One of the small businesses I worked for was actually in the news because of a well known hacking group who had hacked them, but tried to claim that they had hacked a large business that was a customer. All of the suggestions already here have been pretty good. Follow a number of security professionals on Twitter.
JohnBusiness Consultant (Owner)Commented:
I am subscribed to a few newsletters

The ZD Net series of newsletters cover all the critical news and are not laded down with tech talk that may be difficult to distill.

Many users are timid about upgrading BIOS, Chipset and Firmware (on routers and network gear), but you need to do this and highly technical articles about how hackers get in are sometimes not as helpful as they might be.
DominicIT ConsultantAuthor Commented:
Thanks for all who participated here, useful answers to follow up from.
Not too sure i like this new method of marking solutions here, i have no way as far as i can see of rewarding the participants with points and distributing them as i wish.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.