Cyber security: start with the basics
02:00 Thursday, 23 September 2021
UK Cyber Security Council
There are many, many complex concepts in IT in general and security in particular - which is why companies spend so much of their budget (well, hopefully) on cyber security training each year in order to keep their people in touch with the state of the art and the current security technology. As we see across most facets of life, though, there is a thing called the “80-20 rule”, which states that with 20 per cent of the effort/time/knowledge/training we can achieve 80 per cent of what is required. Basic knowledge is under-rated - or, often, overshadowed by people constantly going on about the complex stuff.
In the 1990s, when paper IT magazines existed and online versions hadn’t happened yet, this correspondent was technical editor of a networking publication. The morning we were due to go to press, an advertiser pulled out and we had a page to fill, so the challenge from the editor to me was: you’ve got an hour to fill an 800-word gap. So I did an “idiot’s guide” to the basics of Internet Protocol (IP) networking.
The postbag went wild with readers thanking us for this basic insight and suggesting subjects we could write about. In a rush to fill a gap we had stumbled upon the fact that people often don’t know the basics and are craving a little bit of knowledge in the fields they don’t know. When we thought about it, we realised that because Novell NetWare was still hugely popular back then - and NetWare used its own non-IP protocol by default - we had suddenly taken thousands of readers from the point of knowing nothing about IP to knowing a bit about it. The column went from a one-off panic to a weekly feature.
Back to our field of cyber security, and the implication should be clear: a little bit of knowledge across a range of technologies and cyber security concepts can provide an absolutely fantastic basis to work from. While some people specialise in particular fields of security - cryptography, penetration testing, firewall architecture, Active Directory security design, and so on ad infinitum, you will find that the decent ones will all have a basic grasp across a wide range of security topics.
Even if you look up the knowledge stack at the advanced qualifications such as CISM and CISSP, the principle is the same. Yes, the material is more advanced than a few dozen 800-word introductions, but the principle is the same: nothing is covered in immense detail, and qualifications of this kind have often been described as “a mile wide and an inch deep”.
Yes, these courses and the associated exams are hard - and rightly so, as professional certifications should be anything but a doddle. But everyone starts somewhere, and the point is that a few hundred yards wide and half an inch deep gives you more than enough to make a pretty good cyber security person.
And this is because by knowing a little bit about a lot of areas enables you to contextualise. If you read a magazine article about DNS poisoning, an entry-level knowledge of how the Domain Name Service works lets you understand it. A basic understanding of email transport sheds light on security protocols like DKIM and SPF. Understanding the difference between encryption and hashing lets you understand why operating systems store passwords in a particular way. And so on, and so on.
Just as being a rocket scientist is not essential to impress Shania Twain (much), nor is it a prerequisite for being a decent cyber security specialist. Of course, there’s room to specialise highly in one or two areas, and become regarded as an expert in those fields. But this does not detract from the fact that a basic level of skills across a reasonable number of fields will not only make you conversant in those technologies but will make you able to understand what you read about the security aspects of them too.