'Computer Security Fundamentals:' Quantum security to certifications

From hardware to cryptography to forensics, Computer Security Fundamentals provides exactly what the title implies: a general knowledge of cybersecurity.

Its most recent edition, released in October 2019, offers updates and expanded insight into a field that author Chuck Easttom admits changes rapidly.

"This being the fourth edition, one would think, by now, we certainly got it right," Easttom said. "It's always nice to do later editions because, after each edition, we get feedback from readers and technicians on what we should add or change."

The first edition isn't bad, he added, but the feedback has helped the book grow to give readers a broad-based understanding they can use to take deeper dives into particular topic areas that interest them.

But don't get too comfortable with your knowledge, Easttom warned.

"This is a field where you'll absolutely never know enough," he said. "If somebody could magically imbue you with all the cybersecurity knowledge today, there's a shelf life on that. You're going to have to keep learning."

Computer Security Fundamentals, which is used in classrooms across the globe, is a good starting point. Each chapter also offers test questions and case studies to help readers retain what they have read.

Here, Easttom discusses some of the newer trends in cybersecurity today, additions to the book and trouble areas he sees people encounter in cybersecurity, including some in the most common, well-known places.

What changed most from the third to the fourth edition?

Chuck Easttom: The biggest one is we added a new chapter on cybersecurity engineering. People see the word engineering a lot in IT, but in many cases, there's no engineering involved. We added an entire chapter to bring in actual engineering as it applies to penetration testing and other aspects of cybersecurity.

Click to learn more about
Computer Security Fundamentals
by Chuck Easttom.

Some topics, like the forensics chapter, expanded significantly. And the cryptography chapter now includes a brief section on quantum computing and its impact on cryptography.

Speaking of quantum computing, what kind of effects can we expect on cybersecurity?

Easttom: The issue is pretty simple: Current public key cryptography -- algorithms like Diffie-Hellman, elliptic curve cryptography and RSA [Rivest-Shamir-Adleman] -- are based on mathematical problems that are very hard for classical computers to solve. That's the basis of these algorithms' security. The problem is it was already proven by a man named Peter Shor at MIT that a quantum computer can solve these mathematical problems in a reasonable amount of time. This means, if we had a fully functioning practical quantum computer today, it would be able to break RSA, elliptic curve and Diffie-Hellman in a reasonable amount of time -- not instantly, but in a reasonable amount of time. Then, all the VPNs, e-commerce and more would be insecure.

The good news is this is not a problem that's new to the cryptographic community. NIST has been working for a couple of years on a project to evaluate algorithms resistant to quantum computers. It's already gone through two rounds of analysis and has been narrowed down to a group of final candidates. NIST expects to complete this by 2022.

Will the quantum computing security fix be ready in time?

Easttom: Most people estimate we are five years out from serious implementation of quantum computing. That's because there's still a problem with what we call decoherence in the quantum computer -- basically, the state of the qubit literally falls apart in a very short period of time. While we can do limited things with them, things like cracking cryptography can't yet be done.

Note, while most experts believe we're anywhere from five to 10 years from it happening, there is so much money and attention going into quantum computing that it's possible we'll reach that level sooner.

There's an excerpt from the encryption chapter of Computer Security Fundamentals on SearchSecurity. Where do you see cryptography tripping people up?

Easttom: It's probably the biggest weakness in all of cybersecurity. For about two years. I was delivering a talk entitled 'What you don't know about cryptography and how it can hurt you.' In every case, I would speak to a room of as many as 200 cybersecurity professionals. To prove my point, in the first two minutes, I was easily able to identify important cryptographic topics that almost no one knew about.

The problem is that too many people in cybersecurity memorize just what's on a particular security certification and think that's enough. That gap in knowledge of cryptography has led to many, many breaches. For example, the original Wi-Fi security protocol, WEP [Wired Equivalent Privacy], was created insecure because the engineers who put it together did not understand cryptography and misimplemented the cryptographic algorithms they were using. This led to literally thousands of breaches over many years. That's just one of many examples.

Any other major trends or trouble areas you're seeing in cybersecurity?

Easttom: A big trouble area -- and this will sound counterintuitive at first -- is cybersecurity has become too popular. Anytime something becomes too popular, lots of people rush to it that may not be qualified. The number of people touting themselves as penetration testers or forensic analysts that don't have even rudimentary skills is quite high. One issue is there's no loss -- it's not like being an electrical engineer, where you need a professional engineering license, or medical doctor or attorney. You can hang out your shingle today saying you're a penetration tester or security specialist.

There are security certifications, and while they're great, they're controversial. There's always one person that will tell you certifications are the best thing ever and another person will tell you they're garbage. My counter to this is every profession has people who shouldn't be there -- there are incompetent physicians, but that doesn't mean a medical degree is no longer worth anything. It just means it's not an absolute 100% guarantee of competency. Certifications, if viewed properly, are a fantastic tool because any certification is evidence a person has met the minimum standards for a particular set of objectives.

Throughout the book, I mention several certifications people should consider. But, if you think a certification means someone is the end-all and be-all of cybersecurity, you're probably going to be disappointed.

Also, certification vendors have evolved in the past couple of years. Yes, there are still multiple-choice questions, but many certifications now include practical, do-it questions. I frequently take certifications just to see if I'm keeping up to date. I took one earlier this year -- the CompTIA [Computer Technology Industry Association] Advanced Security Practitioner -- and one of the first questions wasn't multiple choice. It popped up a Linux shell and simply said, 'You need to harden the server.' Presumably, you know Linux well enough to do that. It wasn't something you could guess in multiple choice. You either knew how to do it, or you failed that question.

About the author

Chuck Easttom

Dr. Chuck Easttom is the author of 26 books, including several on computer security, forensics and cryptography. He has also authored scientific papers on digital forensics, cyberwarfare, cryptography and applied mathematics. He is an inventor with 16 computer science patents. He holds a doctorate of science in cybersecurity (dissertation topic: a study of lattice-based algorithms for post-quantum cryptography) and three master's degrees (one in applied computer science, one in education and one in systems engineering). He also holds 44 industry certifications (CISSP, CEH, etc.) He is a frequent speaker at cybersecurity, computer science and engineering conferences. He is a distinguished speaker and senior member of the Association for Computing Machinery and a senior member of the Institute of Electrical and Electronics Engineers. Dr. Easttom is also a reviewer for five scientific journals and editor in chief for the American Journal of Science & Engineering. You can find out more about Dr. Easttom and his research at his website.