Include defensive security in your cybersecurity strategy

A company is only as secure as its weakest link. Therefore, an effective cybersecurity strategy must encompass and address the entire system -- weak links and all.

Inventor and professor Cesar Bravo wrote Mastering Defensive Security: Effective techniques to secure your Windows, Linux, IoT, and cloud infrastructure to help security professionals learn about attack vectors and common attacks methods, as well as security tools that get the job done.

Bravo said he hopes his book serves as a bible for new and veteran cybersecurity professionals. "There was a gap between introductory coverage and books dedicated to one topic," Bravo said. "I call my book a 'holistic view of cybersecurity.' It teaches basic security theory on up to really advanced topics, like malware analysis and pen testing."

Here, Bravo discusses who should read the book, what can be taken away from it, what to consider when creating a custom cybersecurity strategy and more.

Check out an excerpt from Chapter 4 of Mastering Defensive Security to learn how to protect against malicious insider threats.

Editor's note: The following interview was edited for clarity and length.

Who will benefit most from reading Mastering Defensive Security?

Learn more about Cesar Bravo's
Mastering Defensive Security
here.

Cesar Bravo: I created this book to help with an IT professional's learning journey, from junior professionals just entering IT to seasoned ones with years in cybersecurity. IT and cybersecurity are large umbrellas -- there is so much people need to know.

I was teaching a cybersecurity class to a group of professionals. Some were nontechnical product managers, while others had at least 10 years' experience. I had both groups read chapters from my book and do the labs. Even if they didn't understand the technology, I still wanted to see if they could handle the exercises. If you read the chapter, can you do the lab? Install a virtual machine? Do the exercises and understand the threats and how to avoid them? The results were amazing. Product managers have told me they never touched some of the technologies discussed but, after reading the chapter, were able to create a machine to execute the attacks and understand them.

Would you highlight a specific chapter as one to focus on?

Bravo: Chapter 2 covers vulnerabilities. I'm an inventor, and one of the things that inspired me is USB HID [human interface device] vulnerabilities because they affect 99% of computers. There is a false sense of security -- people believe, if they disable USB ports, they cannot be attacked. But that's not always true. Even if a USB port is disabled, attackers can use a USB storage device to still infect your computer. It's a dangerous vulnerability that even people in security are not aware of.

I spoke with the CTO of a bank because I noticed their USB ports were exposed to the public -- the computers sat on top of customer service employees' desks. The CEO said there was no risk because the USB was disabled. They believed the machines were OK to be out in the open, but they were wrong. As a professional, you need to be sure that you understand all aspects of attacks in order to improve your security.

How can Mastering Defensive Security help readers find the security focus that suits them?

Bravo: I believe in the ideology of the T-shaped professional. First, you need to know a bit about everything and then become an expert in one area. My book explains the different technologies you need to know in cybersecurity. For example, I included IoT security, which often isn't in most general cybersecurity books, despite IoT devices being one of the biggest growing attack vectors in businesses and homes.

I wanted to give readers an overview of all cybersecurity topics. They need to understand the biggest areas to focus on, such as IoT, cloud deployments, web apps, vulnerability assessments and forensics. The book gives you context, examples, a look at the latest technologies and labs to experience vulnerabilities in real time. Professionals can learn about malware analysis, automation, Python programming and more to see what interests them. Maybe forensics is too difficult, so focus on IoT security instead. Readers will learn which area is related to their passions and skills and then can deep dive on that area.

What should companies with smaller security budgets and teams focus on from your book?

Bravo: The first five chapters are key for small companies. It begins with basic coverage, but then, in Chapter 4, I discuss patching Layer 8 -- people. You can invest millions into patching systems, but you cannot patch people -- companies don't understand that. One of the biggest threats right now is ransomware attacks, some of the biggest of which resulted in more than $50 million in losses. Many of those attacks occurred because someone clicked a phishing email. If employees aren't properly trained, it doesn't matter how much you spend in security; you are going to fail.

As for budget, it's no secret that security budgets are super thin. But Mastering Defensive Security is loaded with tools, methods and strategies that companies can implement with almost no budget.

Why was it important to include a chapter on physical security?

Bravo: Physical attacks need to be seen from a different point of view. They're low on the risk matrix because the chances of being caught are much higher than other attacks, but the impact of a physical attack is huge.

Take Screen Crab, for example. The device captures everything a user transmits from their computer to a projector. Imagine capturing everything discussed during a meeting with directors on budget, clients and so forth. It's important to prevent these types of physical attacks. You may have a million-dollar cybersecurity system to prevent data leakage, but if someone connects a keylogger physically to your network, they can exfiltrate the data just the same.

When creating a cybersecurity strategy, should companies focus on preventing or stopping attacks?

Bravo: Cybersecurity is about risks, which are probability and impact. As a CISO, you create a cybersecurity strategy to lower the probability of risks and to reduce the impact of those risks. That said, it's not about if an attack will happen or not because it will happen. All companies are exposed to attacks. Nobody has a bulletproof system. Companies today continue to deal with the Log4j vulnerability, and new zero-day threats appear every week. A cybersecurity strategy is about being prepared when first reacting to attacks. But you also have to train people to avoid attacks. It doesn't matter if you get hundreds of phishing emails -- if your team is well trained, they will just ignore them. You reduce risk that way.

Make sure your people know the danger of social engineering attacks. Accounting may get calls where an attacker impersonates a provider and says, 'Hey, you haven't paid our invoice, but we have a problem with this account. Please send payment to this other account instead.' Many employees pay without thinking about it. That's thousands and thousands of dollars going into a criminal's account.

Reduce the risk of those attacks and their potential impact by creating a culture of cybersecurity awareness. That's key to being prepared for the current growing threat landscape.

About the author
Cesar Bravo is a researcher and inventor who has more than 100 inventions related to cybersecurity that are being patented in the U.S., Germany, China and Japan. Those inventions include cybersecurity hardware, secure IoT systems and devices, and even cybersecurity systems for autonomous cars.

He loves to share knowledge, and he has been working with several universities to teach cybersecurity at all levels, from introductory courses for non-IT people up to a master's degree in cybersecurity for which he has also served as a thesis director.

In recent years, Bravo has become a recognized speaker, including delivering a TEDx talk and giving international presentations about cybersecurity and innovation in the U.K., Germany, Mexico, U.S. and Spain.