Integrate defensive security into your cybersecurity strategy


A company is only as secure as its weakest link. Therefore, an effective cybersecurity strategy must encompass and address the entire system – weak links and all.

Inventor and professor Cesar Bravo wrote Mastering Defensive Security: Effective Techniques to Secure Your Windows, Linux, IoT, and Cloud Infrastructure to help security professionals learn about attack vectors and common attack methods, as well as security tools that get the job done.

Bravo said he hopes his book will serve as a bible for new and old cybersecurity professionals. “There was a gap between the introductory cover and the subject books,” Bravo said. “I call my book a ‘holistic view of cybersecurity’. It teaches basic security theory on very advanced topics, like malware analysis and pen test.”

Here, Bravo explains who should read the book, what can be taken from it, what to consider when create a personalized cybersecurity strategy and more.

Discover an excerpt from chapter 4 of Mastering defensive security to learn how to protect against malicious insider threats.

Editor’s note: The following interview has been edited for clarity and length.

Who will benefit most from reading Mastering defensive security?

Learn more about Cesar Bravo


Mastering defensive security

here.

Cesar Bravo: I created this book to facilitate the learning journey of an IT professional, from entry-level professionals just getting into IT to seasoned professionals with years of experience in cybersecurity. IT and cybersecurity are big umbrellas – there are so many things people need to know.

I was teaching a cybersecurity course to a group of professionals. Some were non-technical product managers, while others had at least 10 years of experience. I asked both groups to read chapters from my book and do the tutorials. Even though they didn’t understand the technology, I still wanted to see if they could handle the exercises. If you read the chapter, can you do the lab? Install a virtual machine? Do the exercises and understand the threats and how to avoid them? The results have been amazing. The product managers told me that they had never touched some of the technologies discussed but, after reading the chapter, were able to create a machine to execute the attacks and understand them.

Would you like to highlight a specific chapter like the one to focus on?

Bravo: Chapter 2 covers vulnerabilities. I’m an inventor, and one of the things that inspired me is USB HID [human interface device] vulnerabilities because they affect 99% of computers. There’s a false sense of security – people think that if they disable USB ports, they can’t be attacked. But that’s not always true. Even if a USB port is disabled, attackers can use a USB storage device to infect your computer. It’s a dangerous vulnerability that even security people aren’t aware of.

I spoke with the CTO of a bank because I noticed that their USB ports were exposed to the public — the computers were sitting on the desks of the customer service employees. The CEO said there was no risk because USB was disabled. They believed the machines were OK to be out in the open, but they were wrong. As a professional, you must be sure to understand all aspects of attacks in order to improve your security.

How can Master the defense Does security help readers find the security that’s right for them?

Bravo: I believe in the ideology of the professional in T. First, you have to know a little about everything, then become an expert in a field. My book explains the different technologies you need to know about in cybersecurity. For example, I’ve included IoT security, which is often not included in most general cybersecurity books, despite IoT devices being one of the most important attack vectors in businesses and homes.

I wanted to give readers an overview of all cybersecurity topics. They should understand the most important areas to focus on, such as IoT, cloud deployments, web applications, vulnerability assessments and investigation. The book gives you context, examples, insight into the latest technologies, and labs to uncover vulnerabilities in real time. Professionals can learn about malware analysis, automation, Python programming, and more to see what interests them. Maybe forensics is too difficult, so focus on IoT security instead. Readers will learn which area relates to their passions and skills, and then can dig deeper into that area.

What should companies with smaller budgets and security teams focus on in your book?

Bravo: The first five chapters are essential for small businesses. It starts with basic coverage, but then in Chapter 4 I discuss updating Layer 8 – people. You can invest millions in patching systems, but you can’t patch people – companies don’t understand that. One of the biggest threats right now is ransomware attacks, some of which have resulted in losses of over $50 million. Many of these attacks happened because someone clicked on a phishing email. If employees aren’t properly trained, it doesn’t matter how much you spend on security; you will fail.

When it comes to budget, it’s no secret that security budgets are very thin. Corn Mastering defensive security is loaded with tools, methods, and strategies that businesses can implement with almost no budget.

Why was it important to include a chapter on physical security?

Bravo: Physical attacks should be viewed from a different perspective. They are low on the risk matrix as the chances of being caught are much higher than other attacks, but the impact of a physical attack is huge.

Take Screen Crab, for example. The device captures everything a user transmits from their computer to a projector. Imagine capturing everything that was discussed in a meeting with admins about budget, clients, etc. It is important to prevent these types of physical attacks. You can have a million dollar cybersecurity system to prevent data leaks, but if someone physically connects a keylogger to your network, they can still exfiltrate the data.

When creating a cybersecurity strategy, should companies focus on preventing or stopping attacks?

Bravo: Cybersecurity is about risk, which is probability and impact. As a CISO, you create a cybersecurity strategy to reduce the likelihood of risks and reduce the impact of those risks. That said, it’s not about whether or not an attack will happen because it will. All businesses are exposed to attacks. Nobody has a bulletproof system. Today, organizations continue to grapple with the Log4j vulnerability, and new zero-day threats appear every week. A cybersecurity strategy is to be prepared when first reacting to attacks. But you also have to train people to avoid attacks. It doesn’t matter if you receive hundreds of phishing emails, if your team is well trained, they will simply ignore them. This reduces the risks.

Make sure your employees know the danger of social engineering attacks. Accounting can get calls when an attacker impersonates a vendor and says, “Hey, you haven’t paid our bill, but we have a problem with this account.” Please send payment to this other account instead.’ Many employees pay without thinking about it. That’s thousands and thousands of dollars going into a criminal’s account.

Reduce the risk of these attacks and their potential impact by creating a culture of cybersecurity awareness. This is essential to prepare for today’s landscape of growing threats.

About the Author
Cesar Bravo is a researcher and inventor who has over 100 cybersecurity-related inventions that are patented in the United States, Germany, China, and Japan. These inventions include cybersecurity hardware, secure IoT systems and devices, and even cybersecurity systems for self-driving cars.

He likes to share his knowledge and has worked with several universities to teach cybersecurity at all levels, from introductory courses for non-computer scientists to a master’s degree in cybersecurity for which he was also the thesis director.

In recent years, Bravo has become a recognized speaker, including hosting a TEDx conference and giving international presentations on cybersecurity and innovation in the UK, Germany, Mexico, the US and Spain.

Previous Mets manager Buck Showalter wants 'focus and effort' from his players
Next Get 1000 Dollars Payday Loans Online, Bad Credit OK