Improving security skillset
Hi,
I have been looking at ways to improve my knowledge and skills in IT security as i am running into a lot of hacking/phishing attempts on my clients.
I only support small businesses and individuals running their own businesses, typically the market that does not have access to an IT dept, making them less agile in dealing with breaches/hacking attempts.
Can someone suggest some certifications/courses, knowledge bases where i can get more information and skill sets that are RELEVANT to protecting small businesses and individuals. I want to be in position where i can understand the fundamentals and concepts of various hacking methods and react accordingly on behalf of my clients. I already put in place many policies to protect my clients data , but this is an ever evolving arena so i want to remain relevant.
I dont deal with Enterprises so i am not trying to be the next Troy Hunt, that is not my expertise.
Many thanks
D
I have been looking at ways to improve my knowledge and skills in IT security as i am running into a lot of hacking/phishing attempts on my clients.
I only support small businesses and individuals running their own businesses, typically the market that does not have access to an IT dept, making them less agile in dealing with breaches/hacking attempts.
Can someone suggest some certifications/courses, knowledge bases where i can get more information and skill sets that are RELEVANT to protecting small businesses and individuals. I want to be in position where i can understand the fundamentals and concepts of various hacking methods and react accordingly on behalf of my clients. I already put in place many policies to protect my clients data , but this is an ever evolving arena so i want to remain relevant.
I dont deal with Enterprises so i am not trying to be the next Troy Hunt, that is not my expertise.
Many thanks
D
David Johnson, CD
good anti-spam measures and user education is key. Stress user education.
Can someone suggest some certifications/courses, knowledge bases where i can get more information and skill sets that are RELEVANT to protecting small businesses and individuals.Dominic, we have some excellent free resources here at Experts Exchange that you can read. May I suggest you take a look at the following member's Article Contributions, who is an Expert in Security;
https://www.experts-exchange.com/members/breadtan.html
I hope that's helpful.
Regards, Andrew
EE Senior Editor
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Good advice above, and as David notes above, top notch anti spam is vital. Make very certain your customers have good, rotating, offsite backup systems running. And as noted, train users not to open emails from strangers.
I am running into a lot of hacking/phishing attempts on my clients.
Beyond the normal "knocking on doors" that any half way decent router will stop, what makes you think people are actively trying to get into your customers' networks.
I am running into a lot of hacking/phishing attempts on my clients.
Beyond the normal "knocking on doors" that any half way decent router will stop, what makes you think people are actively trying to get into your customers' networks.
Different skillsets are required for different... types of tech...
For example, if most of your clients are running Windows in small offices, this will require a different skillset than protecting high traffic LAMP Stack WordPress sites.
Start by setting up a personal infrastructure which mirrors your client's infrastructure + just fend off attacks... as they will come...
Tip: If you become adept security LAMP Stacks on the net, you'll have a far larger + far more lucrative market, then securing Windows computers at physical locations.
For example, if most of your clients are running Windows in small offices, this will require a different skillset than protecting high traffic LAMP Stack WordPress sites.
Start by setting up a personal infrastructure which mirrors your client's infrastructure + just fend off attacks... as they will come...
Tip: If you become adept security LAMP Stacks on the net, you'll have a far larger + far more lucrative market, then securing Windows computers at physical locations.
Actually the " a lot of hacking/phishing attempts on my clients. " will never go away especially when business are pushing faster for digitalisation. In fact, to be secure, it is really to separate internet from the internal network - you may think it is paranoid but it helps.
But then there is residual risk still - what are they? In fact, you dont need to be skillful as the experts said and it is an arm race even to be keep up with new threat and scheme behind the scene. If you think about it, those hackers, script kiddies and sophisticated adversaries have one thing (or one target) in common - it is human laziness and oversight by human.
Security is a process and not a product. Getting best breed does not necessarily means secure. Same goes for compliance.
Security is a shared responsibility. Not the company, not the team but your user who need to be more mindful and savvy.
I am not preaching here but these simple statements are still not appreciated and internalised hence security incident and breach remain to exist. I am thinking and suggesting, maybe the best way for you since you are already having policies in place, to go more proactive - secure the "human" first.
Run phishing campaign, throw some "infected" USB in the premise, try dumpster diving and move around the users cubicle if you have access too them - these are low hanging fruit to get a sense of the "bad habit" out to the management. Bad result can stir discomfort and that is where you can get more traction on security activities ongoing.
Social engineering is one area that we need to be savvy and beware of as that is what the adversary is (really) good at - they entice the user to do wrong things and willingly. E.g. Click as instructed when not supposed to, Double click to open file when they know they should not have done so for unsolicited email etc ...
Getting yourself trained is good but ultimately your users are still same state - not care on the basic security hygiene. Seminar and security briefing does not help much if the bad habits does not kick away. In short, hit their management, show them the Security Audit findings, proof a need to seriously continue the campaign efforts and not once off. These may be non trivial and if possible seek independent party to do it and report .
But then there is residual risk still - what are they? In fact, you dont need to be skillful as the experts said and it is an arm race even to be keep up with new threat and scheme behind the scene. If you think about it, those hackers, script kiddies and sophisticated adversaries have one thing (or one target) in common - it is human laziness and oversight by human.
Security is a process and not a product. Getting best breed does not necessarily means secure. Same goes for compliance.
Security is a shared responsibility. Not the company, not the team but your user who need to be more mindful and savvy.
I am not preaching here but these simple statements are still not appreciated and internalised hence security incident and breach remain to exist. I am thinking and suggesting, maybe the best way for you since you are already having policies in place, to go more proactive - secure the "human" first.
Run phishing campaign, throw some "infected" USB in the premise, try dumpster diving and move around the users cubicle if you have access too them - these are low hanging fruit to get a sense of the "bad habit" out to the management. Bad result can stir discomfort and that is where you can get more traction on security activities ongoing.
Social engineering is one area that we need to be savvy and beware of as that is what the adversary is (really) good at - they entice the user to do wrong things and willingly. E.g. Click as instructed when not supposed to, Double click to open file when they know they should not have done so for unsolicited email etc ...
Getting yourself trained is good but ultimately your users are still same state - not care on the basic security hygiene. Seminar and security briefing does not help much if the bad habits does not kick away. In short, hit their management, show them the Security Audit findings, proof a need to seriously continue the campaign efforts and not once off. These may be non trivial and if possible seek independent party to do it and report .
ASKER
Hi Everyone - these are all valid statements and thanks so far. As a last point, does anyone have any recommendations on sites which offer news and updates in the cybersecurity field. I am subscribed to a few newsletters but would be interested to have more.
Thought this EE has a good compilation of useful links https://www.experts-exchange.com/questions/28350815/What-are-some-great-resources-online-websites-that-I-can-subscribe-to-keep-up-with-the-latest-and-greatest-Technology.html
And especially this comprehensive 50 compilation which you probably have similar already. https://blog.feedspot.com/cyber_security_rss_feeds/
You would want to subscribe to the US CERT feeds or your own local cybersecurity authority's feeds too..
Just don't get overwhelmed and become feeds fatigue. Aim and shoot but sometimes it is good to just shoot and then aim. The hands-on exposure will enrich you.
And especially this comprehensive 50 compilation which you probably have similar already. https://blog.feedspot.com/cyber_security_rss_feeds/
You would want to subscribe to the US CERT feeds or your own local cybersecurity authority's feeds too..
Just don't get overwhelmed and become feeds fatigue. Aim and shoot but sometimes it is good to just shoot and then aim. The hands-on exposure will enrich you.
Although no english version exists, you might want to look at what browser translation features make of https://www.heise.de/security/ - they have many topics per day and those are easy to follow.
Can someone suggest some certifications/courses, knowledge bases where i can get more information and skill sets that are RELEVANT to protecting small businesses and individuals.I've watched people in the small business world try to say this all the time. The irony is that a lot of the same things that can happen to enterprises can and do happen to small businesses and individuals. You'd still want to take many of the same classes. It's amazing how surprised small businesses are when they hear about many things out there. And I speak as someone who has worked for enterprises, small business, and government alike. One of the small businesses I worked for was actually in the news because of a well known hacking group who had hacked them, but tried to claim that they had hacked a large business that was a customer. All of the suggestions already here have been pretty good. Follow a number of security professionals on Twitter.
I am subscribed to a few newsletters
The ZD Net series of newsletters cover all the critical news and are not laded down with tech talk that may be difficult to distill.
Many users are timid about upgrading BIOS, Chipset and Firmware (on routers and network gear), but you need to do this and highly technical articles about how hackers get in are sometimes not as helpful as they might be.
The ZD Net series of newsletters cover all the critical news and are not laded down with tech talk that may be difficult to distill.
Many users are timid about upgrading BIOS, Chipset and Firmware (on routers and network gear), but you need to do this and highly technical articles about how hackers get in are sometimes not as helpful as they might be.
ASKER
Thanks for all who participated here, useful answers to follow up from.
Not too sure i like this new method of marking solutions here, i have no way as far as i can see of rewarding the participants with points and distributing them as i wish.
Not too sure i like this new method of marking solutions here, i have no way as far as i can see of rewarding the participants with points and distributing them as i wish.