Crash-course in IT security?
November 24, 2013 5:30 PM   Subscribe

I'm looking for good books or websites that will give me a crash-course on modern IT security - common vulnerabilities, common strategies, common jargon, etc.

I'm pursuing a BD role with an IT security firm that primarily caters to commercial and government interests. I have a lot of business development and service-based sales experience but no real experience in IT security, common products and services therein, common jargon, etc.

I'm looking for good books or websites that I can read for an overall "state of the state" - remember I'm not building the stuff, just selling it, so I need to be able to understand what's important to companies and agencies from a security standpoint, and the common security strategies (both hardware and software) firms use to protect their electronic interests.

Also- who are the big players in the game?

I'd be happy to answer any questions that will help facilitate a response!
posted by Dr. Zachary Smith to Computers & Internet (13 answers total) 41 users marked this as a favorite
Best answer: You might peruse some of the books geared towards helping folks pass the CISSP exam. Also, see if your new position would be willing to spring for a course or two from SANS. This one might be a good fit.

As to the players, much depends on what you'll be focusing on. Identity management and/or federation, data loss prevention, network security, host/endpoint security, visualization/reporting/SEIM, encryption - all of these and more are on offer by vendors large and small, from the likes of IBM, Cisco, and Oracle down to legions of startups.

If you'll pardon the marketing-speak, "the ecosystem is thriving" these days. Security is starting to seriously wrest budget dollars from storage and networking, so everyone's getting on the train.

(N.B. - I work for an IT security company)
posted by jquinby at 5:46 PM on November 24, 2013

Best answer: Bruce Schneier runs an interesting blog; a crypto course and a series of crypto challenges were mentioned in his recent IAMA.
posted by quercus23 at 5:54 PM on November 24, 2013 [3 favorites]

Response by poster: Thanks people! Any thing specifically about mobile device management/security, vulnerability/penetration testing?
posted by Dr. Zachary Smith at 6:00 PM on November 24, 2013

Best answer: The large players in mobile device management are going to be folks like MobileIron and Good Technology.

For vulnerability scanning and pen-testing, Qualys, Whitehat, and Cenzic come to mind, particularly for public-facing applications and websites. It's a crowded field, though. The larger Manage Security Service Providers provide pen testing along with a host of other value-add services like auditing, incident response, and so on.
posted by jquinby at 6:11 PM on November 24, 2013

Best answer: By the by, I find that the best way to stay up to date on what's going on is via Twitter. I follow a slew of folks and companies who tend to point out the articles-of-the-day and big goings-on in my particular niche. This would include: taosecurity, mattblaze, csoghoian, wh1t3rabbit, virusbtn, dakami, securosis, sans_isc, packet_storm, gattaca, r_netsec, darkreading, and dangoodin001.

There are more, but that'd be a good start.

Seconding Bruce Schneier. I've also been a devoted reader of the RISKS-L digest for years. ArsTechnica is another good source, as is ThreatPost.
posted by jquinby at 6:19 PM on November 24, 2013 [2 favorites]

Response by poster: Thanks again for the suggestions.

Any recommended resources for learning C/C++, Java, and Python?
posted by Dr. Zachary Smith at 6:35 PM on November 24, 2013

Best answer: Schneier's Secrets and Lies should be your first read. It's dated. Read it anyway and pay attention to developing the security mindset.

A book on the CISSP is a really good idea.

Figure out what regulations affect the industries you sell to. Learn those regs.

Some larger firms have been listed. A few firms that do things the right way and are "gold standard" (in this curmudgeon's opinion, anyway): Mandiant, TrustedSec, Immunity.

Have a few more thoughts on not sucking in security sales, but that's a little outside the scope of the ask. Feel free to memail if you'd like a rant on the average salesperson in this industry.
posted by bfranklin at 8:00 PM on November 24, 2013 [1 favorite]

Response by poster: I got the CISSP book, though given its length I'll probably just read the first few chapters and skip around to meaty bits. Just started the MIT compsci class tonight, already did my first homework assignment too!

Hoping to go down the Python>C++ route to get some foundation in the software world, and continue to read through the suggestions made here (including the Schneier- his website has a ton of essays/op-eds, extra material, etc.).

Thanks again for the help!

(p.s. bfranklin as I get closer to actually stepping in to this role I'd definitely love to hear some horror stories).
posted by Dr. Zachary Smith at 9:37 PM on November 24, 2013

Best answer: BD role with an IT security firm that primarily caters to commercial and government interests.

I would recommend you start by reading Verizon's 2013 data breach investigations report. That will give you an idea of what large public and private organizations are up against this year. Then I would suggest reading the20 Critical Security Controls for Cyber Defense. Each control is really more like a control family and has a couple page description of what it is, what it looks like when implemented, and what the best practice is. There will be a lot of overlap with the CISSP materials mentioned above, but a lot more condensed.
posted by kovacs at 4:40 AM on November 25, 2013

Best answer: Oh, one more. It's a bit lower-level, but a perusal of the OWASP Top Ten list might be worth your time as well.

Also, consider joining your local ISSA chapter. OWASP has local chapters as well. Your employer may already be sponsoring activities.

Infragard is also a worthwhile organization, though some local chapters are more active than others. I understand that the Atlanta group is pretty happening. Here in Nashville, not so much. I do visit the private site 2-3 times a week to read the various regular reports. You'll need to apply for membership and consent to a background check.
posted by jquinby at 5:09 AM on November 25, 2013 [1 favorite]

Search Amazon for "Hacking Exposed". You will get a list of various areas (e.g. Mobile, Cloud, Virtualization, etc.).
Take a look at SANS. The courses might be of interest. Their newsletter of exploits is also worth reading.
posted by PickeringPete at 4:35 PM on November 25, 2013
posted by Dansaman at 8:16 PM on November 25, 2013

« Older Song help needed : "beware the romance of exotic...   |   Recreating the hot chocolate from City Bakery in... Newer »
This thread is closed to new comments.