An incomplete list of #infosec core competencies
-
A Twitter 🧵 in no particular order:
You should know...
How to read a CVE announcement and assess the impact based on its CWE / CVSS score and description. Understand that CVSS scores are relative and impact in your environment may be different.
How to read a hyped, name- and logo branded, corporation backed vulnerability announcement -- as well as the relevant RFCs and actual research paper, if any, instead of just the breathless webpage -- and distill the actual, realistic threat to your environment.
The difference between a vulnerability, a threat, risk, an exploit, and attack surface; the likelihood of an exploit based on an adversary's motivation, goals, and capabilities; being able to ballpark the cost of defense within a given scope.
The difference between authentication (authN) and authorization (authZ); between secrecy and authenticity; between authenticity and integrity. Be able to translate these concepts across different contexts.
The difference between symmetric or private and asymmetric or public key cryptography; between encryption and hashing; between a key-derivation function and an HMAC used for message authentication.
You don't need to be cryptographer, but you should know roughly what the cryptographic right answers for your developers' questions are -- and why.
The difference between encryption in transit and encryption at rest.
Know to use TLS >= 1.2, but you don't need to know the details of all the ciphers and algorithms. But you should understand mTLS and client cert validation vs. server cert validation conceptually.
Understand the x509 PKI concepts, trusted CA bundles, cert chains, and common client behavior.
Know how to use 'openssl s_client' and 'openssl x509' to troubleshoot TLS connections, including STARTTLS.
Be able to use tcpdump(1) to at least get the gist of what's going on on the wire. I.e., protocol, type, port, TCP S/R/P/F/., sequence numbers, payload...
Understand cache poisoning as a concept and as applied to different protocols, such as ARP, DNS, HTTP Proxy, ...
Have a general awareness of the physical internet, peering, ASNs, BGP hijacking, and how (and when) governments can (and do) censor or intercept/inspect (parts of) the internet for their jurisdiction.
See e.g.: and
How to use ktrace(1) / strace(1) / dtrace(1) to figure out just what files or sockets a program is accessing.
Enough Python, Perl, PHP, C, Go, Java, and JavaScript to be able to read all the random code you come across and at least make some sense of it.
Enough C to understand how a buffer overflow works and how to spot one. (90% of the time a sprintf(3) of a user-generated strings into a fixed-size buffer.)
Enough input- and shell meta-characters escaping to detect, abuse, and fix unsanitized system(3) / popen(3) command-injections (in the various languages).
Be able to efficiently use your preferred packaged manager to identify file/package ownership, dependencies, package integrity. Be able to create a package for a non-trivial piece of software to understand packaging, install scripts, signatures, validation etc.
Enough AWS to be able to spin up an instance when needed. Grok the difference between NACLs and Security Groups. Be able to manage simple IAM resources and to inspect and lock down an S3 bucket.
Understand SMTP basics, email headers, etc. Know enough about SPF/DKIM/DMARC to identify those headers and understand what they are telling you.
and
Shamir's 3 Laws of Cryptography:
Absolutely secure systems do not exist
To halve your vulnerability, you have to double your expenditure
Cryptography is typically bypassed, not penetrated
Schneier's Law (Any person can invent a security system so clever that she or he can't think of how to break it.) and not to attempt to invent your own cryptographic protocol.
Be able to explain core concepts like Zero Trust, Defense in Depth, Least Privilege, Failing Closed, and Kerckhoff's Principle vs. Security by Obscurity.
How containers are different from virtual machines, and what their respective trust- and control boundaries are.
When to seek input from others: there's not just domain specific, but plenty of general security expertise outside of the information security team.
Nothing, absolutely nothing about cryptocurrencies. "Crypto" means "Cryptosporidiosis". I mean: "cryptography". That's all you need to know.
Ok, now most of this overlaps with my own experiences, and you may do well without some of the above. Don't stress about any gaps you might have - I meant to provide these as a starting point for folks to pick a place to learn more.
Some people will disagree and point out other areas. That's all quite ok. It's a broad subject. Bring your own background, take your own path.
Oh, and if you notice that a lot of this overlaps with SysAdminning and general computering on the internet and isn't even all that infosec specific... that's not coincidence.
Oh, lol, looks like Azure DNS is busted right now. That's... gotta hurt.
How’d I notice? I didn’t receive an email to my @FollowStevens address, because my mail server doesn’t talk to MTAs that it can’t reverse the IP address for, which is a great lesson for my students, since we _just_ discussed SMTP and spam protections. 😂
So yeah, “there is no cloud, only other people’s computers” once again.
10 Software Engineering Laws Everybody Loves to Ignore
A Twitter 🧵
1. Conway's Law
Also known as: "You will ship your org chart."
"Any organization that designs a system will produce a design whose structure is a copy of the organization's communication structure."
You may _think_ you can avoid it via cross-functional standup meetings and stakeholder updates and decision matrices, but eventually and inevitably conflicting or diverging priorities will lead to equally conflicting or divergent processes and outcomes.
7 battles #infosec has lost but we keep wasting efforts on trying to fight again and again nonetheless:
1) Users will always click on links in emails.
Stop trying to teach them to distinguish "bad" and "good" links. Instead, focus on ensuring their computer cannot be compromised by visiting a website and phished credentials are time-limited or otherwise useless to the attacker.
2) Users will pick bad passwords that they then reuse.
You can get _some_ users to use a password manager, but you can't enforce good passwords and practices. The only real solution is multi-factor auth, preferably via FIDO U2F and/or biometrics.
A brief Twitter r̶a̶n̶t̶ 🧵 on responsible ticket management, born out of years of frustration:
There's few things as frustrating in a large organization as diligently filing a ticket or reporting a problem only for it to sit there without anybody looking at it until it's closed by some automated job marking it as stale because it hasn't seen any updates in a year.
If you have a product that warrants a ticket queue, then you owe it to your users to manage it just as you owe it to your team to manage their workload.
Proper ticket management helps you set expectations, drive metrics, gain insights, and allow others to rely on you.