97 Things Every Information Security Professional Should Know

Copyright
Table of Contents
Preface
	O’Reilly Online Learning
	How to Contact Us
Chapter 1. Continuously Learn to Protect Tomorrow’s Technology
	Alyssa Columbus
Chapter 2. Fight in Cyber like the Military Fights in the Physical
	Andrew Harris
	The OODA Loop
	Containment Helps to Prevent and Inform
Chapter 3. Three Major Planes
	Andrew Harris
	Not Focusing on Where the Planes Meet
	Identity Versus Privileges
	Not Applying Hypothetical Syllogism
	Wrapping It Up
Chapter 4. InfoSec Professionals Need to Know Operational Resilience
	Ann Johnson
Chapter 5. Taking Control of Your Own Journey
	Antoine Middleton
Chapter 6. Security, Privacy, and Messy Data Webs: Taking Back Control in Third-Party Environments
	Ben Brook
	Establish Technical Visibility
	Exercise Technical Stewardship
Chapter 7. Every Information Security Problem Boils Down to One Thing
	Ben Smith
Chapter 8. And in This Corner, It’s Security Versus the Business!
	Ben Smith
Chapter 9. Don’t Overlook Prior Art from Other Industries
	Ben Smith
Chapter 10. Powerful Metrics Always Lose to Poor Communication
	Ben Smith
Chapter 11. “No” May Not Be a Strategic Word
	Brian Gibbs
Chapter 12. Keep People at the Center of Your Work
	Camille Stewart
Chapter 13. Take a Beat: Thinking Like a Firefighter for Better Incident Response
	Catherine J. Ullman
Chapter 14. A Diverse Path to Better Security Professionals
	Catherine J. Ullman
Chapter 15. It’s Not About the Tools
	Chase Pettet
Chapter 16. Four Things to Know About Cybersecurity
	Chloé Messdaghi
	Hackers Are Not Attackers
	Vulnerability Disclosure Policies Strengthen Defenses
	Burnout Is a Real Risk
	Upskilling: Professional Growth
Chapter 17. Vetting Resources and Having Patience when Learning Information Security Topics
	Christina Lang
Chapter 18. Focus on the What and the Why First, Not the Tool
	Christina Morillo
	“If All You Have Is a Hammer, Everything Looks like a Nail"
	Understanding the Problem
	Understanding Current Processes
	You Cannot Solve for What You Do Not Understand
Chapter 19. Insiders Don’t Care for Controls
	Damian Finol
Chapter 20. Identity and Access Management: The Value of User Experience
	Dane Bamburry
Chapter 21. Lessons from Cross-Training in Law
	Danny Moules
Chapter 22. Ransomware
	David McKenzie
	History
	Types of Ransomware
	Large-Scale Attacks
	Should You Pay?
Chapter 23. The Key to Success in Your Cloud Journey Begins with the Shared Responsibility Model
	Dominique West
	What Is This Framework and Why Should It Apply?
	How to Put This Framework into Action
Chapter 24. Why InfoSec Practitioners Need to Know About Agile and DevOps
	Fernando Ike
Chapter 25. The Business Is Always Right
	Frank McGovern
Chapter 26. Why Choose Linux as Your Secure Operating System?
	Gleydson Mazioli da Silva
Chapter 27. New World, New Rules, Same Principles
	Guillaume Blaquiere
Chapter 28. Data Protection: Impact on Software Development
	Guy Lépine
	Secure Development
	Data Protection
		Data at rest
		Data in transit
		Data in use
	Ethical Data Access
Chapter 29. An Introduction to Security in the Cloud
	Gwyneth Peña-Siguenza
Chapter 30. Knowing Normal
	Gyle dela Cruz
Chapter 31. All Signs Point to a Schism in Cybersecurity
	Ian Barwise
	Attackers Have Always Had the Advantage
Chapter 32. DevSecOps Is Evolving to Drive a Risk-Based Digital Transformation
	Idan Plotnik
	Code Security Is Becoming “Security”
	Shifting from Vulnerabilities to Risky Code Changes
	Code Risk Is Multidimensional
	DevSecOps Is Evolving
Chapter 33. Availability Is a Security Concern Too
	Jam Leomi
Chapter 34. Security Is People
	James Bore
Chapter 35. Penetration Testing: Why Can’t It Be Like the Movies?!
	Jasmine M. Jackson
Chapter 36. How Many Ingredients Does It Take to Make an Information Security Professional?
	Jasmine M. Jackson
Chapter 37. Understanding Open Source Licensing and Security
	Jeff Luszcz
Chapter 38. Planning for Incident Response Customer Notifications
	JR Aquino
Chapter 39. Managing Security Alert Fatigue
	Julie Agnes Sparks
Chapter 40. Take Advantage of NIST’s Resources
	Karen Scarfone
Chapter 41. Apply Agile SDLC Methodology to Your Career
	Keirsten Brager
	Secure Your Identity and Assets
	Look for Unconventional Paths
Chapter 42. Failing Spectacularly
	Kelly Shortridge
Chapter 43. The Solid Impact of Soft Skills
	Kim Z. Dale
Chapter 44. What Is Good Cyber Hygiene Within Information Security?
	Lauren Zink
Chapter 45. Phishing
	Lauren Zink
Chapter 46. Building a New Security Program
	Lauren Zink
Chapter 47. Using Isolation Zones to Increase Cloud Security
	Lee Atchison
	General Isolation Zone Architecture
	Managing Communications Flow
Chapter 48. If It’s Remembered for You, Forensics Can Uncover It
	Lodrina Cherne
Chapter 49. Certifications Considered Harmful
	Louis Nyffenegger
Chapter 50. Security Considerations for IoT Device Management
	Mansi Thakar
Chapter 51. Lessons Learned: Cybersecurity Road Trip
	Mansi Thakar
	Myth Versus Reality
	Unleash Your Growth
Chapter 52. Finding Your Voice
	Maresa Vermulst
Chapter 53. Best Practices with Vulnerability Management
	Mari Galloway
Chapter 54. Social Engineering
	Marina Ciavatta
Chapter 55. Stalkerware: When Malware and Domestic Abuse Coincide
	Martijn Grooten
Chapter 56. Understanding and Exploring Risk
	Dr. Meg Layton
Chapter 57. The Psychology of Incident Response
	Melanie Ensign
	Avoiding Panic
	Anticipating Stakeholder Readiness
	Teaching Stakeholders to Self-Regulate
Chapter 58. Priorities and Ethics/Morality
	Michael Weber
Chapter 59. DevSecOps: Continuous Security Has Come to Stay
	Michelle Ribeiro
Chapter 60. Cloud Security: A 5,000 Mile View from the Top
	Michelle Taggart
Chapter 61. Balancing the Risk and Productivity of Browser Extensions
	Mike Mackintosh
Chapter 62. Technical Project Ideas Towards Learning Web Application Security
	Ming Chow
	Build a Static Website Using HTML, CSS, JavaScript, and Amazon S3
	Create a Blog Using WordPress
	Build a Blog App Using a Web Application Framework
	The Point of These Projects
Chapter 63. Monitoring: You Can’t Defend Against What You Don’t See
	Mitch B. Parker
Chapter 64. Documentation Matters
	Najla Lindsay
Chapter 65. The Dirty Truth Behind Breaking into Cybersecurity
	Naomi Buckwalter
Chapter 66. Cloud Security
	Nathan Chung
Chapter 67. Empathy and Change
	Nick Gordon
	Bringing Change
	Mandates Only Work When Someone Is Watching
	Write It Down
Chapter 68. Information Security Ever After
	Nicole Dorsett
Chapter 69. Don’t Check It In!
	Patrick Schiess
Chapter 70. Threat Modeling for SIEM Alerts
	Phil Swaim
Chapter 71. Security Incident Response and Career Longevity
	Priscilla Li
Chapter 72. Incident Management
	Quiessence Phillips
Chapter 73. Structure over Chaos
	Rob Newby
Chapter 74. CWE Top 25 Most Dangerous Software Weaknesses
	Rushi Purohit
Chapter 75. Threat Hunting Based on Machine Learning
	Saju Thomas Paul and Harshvardhan Parmar
	Case Study
Chapter 76. Get In Where You Fit In
	Sallie Newton
Chapter 77. Look Inside and See What Can Be
	Sam Denard
Chapter 78. DevOps for InfoSec Professionals
	Sasha Rosenbaum
	Culture
	Automation
	Recommended Reading
Chapter 79. Get Familiar with R&R (Risk and Resilience)
	Shinesa Cambric
Chapter 80. Password Management
	Siggi Bjarnason
Chapter 81. Let’s Go Phishing
	Siggi Bjarnason
Chapter 82. Vulnerability Management
	Siggi Bjarnason
Chapter 83. Reduce Insider Risk Through Employee Empowerment
	Stacey Champagne
Chapter 84. Fitting Certifications into Your Career Path
	Steven Becker
Chapter 85. Phishing Reporting Is the Best Detection
	Steven Becker
Chapter 86. Know Your Data
	Steve Taylor
	Known Knowns
	Known Unknowns
	Unknown Unknowns
Chapter 87. Don’t Let the Cybersecurity Talent Shortage Leave Your Firm Vulnerable
	Tim Maliyil
Chapter 88. Comfortable Versus Confident
	Tkay Rice
	Is Lack of Confidence the New Imposter Syndrome?
	Using Offensive/Sensitive Terms
	Top Three Strategies for Displaying Confidence
Chapter 89. Some Thoughts on PKI
	Tarah Wheeler
Chapter 90. What Is a Security Champion?
	Travis F. Felder
	What Is a Security Champion?
	Why Does Your Company Need Security Champions?
	What Do Security Champions Do?
	How to Create a Security Champions Program?
Chapter 91. Risk Management in Information Security
	Trevor Bryant
Chapter 92. Risk, 2FA, MFA, It’s All Just Authentication! Isn’t It?
	Unique Glover
Chapter 93. Things I Wish I Knew Before Getting into Cybersecurity
	Valentina Palacin
Chapter 94. Research Is Not Just for Paper Writing
	Vanessa Redman
Chapter 95. The Security Practitioner
	Wayne A. Howell Jr.
Chapter 96. Threat Intelligence in Two Steps
	Xena Olsen
	Step One: Understand Your Role
	Step Two: Solve Someone Else’s Problem
Chapter 97. Maintaining Compliance and Information Security with Blue Team Assistance
	Yasmin Schlegel
Contributors
	Alyssa Columbus
	Andrew Harris
	Ann Johnson
	Antoine Middleton
	Ben Brook
	Ben Smith
	Brian Gibbs
	Camille Stewart
	Catherine J. Ullman
	Chase Pettet
	Chloé Messdaghi
	Christina Lang
	Christina Morillo (Author/Editor of This Book)
	Damian Finol
	Dane Bamburry
	Danny Moules
	David McKenzie
	Dominique West
	Fernando Ike
	Frank McGovern
	Gleydson Mazioli da Silva
	Guillaume Blaquiere
	Guy Lépine
	Gwyneth Peña-Siguenza
	Gyle dela Cruz
	Harshvardhan Parmar
	Ian Barwise
	Idan Plotnik
	Jam Leomi
	James Bore
	Jasmine M. Jackson
	Jeff Luszcz
	JR Aquino
	Julie Agnes Sparks
	Karen Scarfone
	Keirsten Brager
	Kelly Shortridge
	Kim Z. Dale
	Lauren Zink
	Lee Atchison
	Lodrina Cherne
	Louis Nyffenegger
	Mansi Thakar
	Maresa Vermulst
	Mari Galloway
	Marina Ciavatta
	Martijn Grooten
	Dr. Meg Layton
	Melanie Ensign
	Michael Weber
	Michelle Ribeiro
	Michelle Taggart
	Mike Mackintosh
	Ming Chow
	Mitchell Parker
	Najla Lindsay
	Naomi Buckwalter
	Nathan Chung
	Nick Gordon
	Nicole Dorsett
	Patrick Schiess
	Phil Swaim
	Priscilla Li
	Quiessence Phillips
	Rob Newby
	Rushi Purohit
	Saju Thomas Paul
	Sallie Newton
	Sam Denard
	Sasha Rosenbaum
	Shinesa Cambric
	Siggi Bjarnason
	Stacey Champagne
	Steven Becker
	Steve Taylor
	Tarah Wheeler
	Tim Maliyil
	Tkay Rice
	Travis F. Felder
	Trevor Bryant
	Unique Glover
	Valentina Palacin
	Vanessa Redman
	Wayne A. Howell Jr.
	Xena Olsen
	Yasmin Schlegel
Index
About the Editor
	Christina Morillo