Choose Your InfoSec Path
An Interactive Cybersecurity Adventure for Beginners
1st ed.
This Apress imprint is published by the registered company APress Media, LLC part of Springer Nature.
The registered company address is: 1 New York Plaza, New York, NY 10004, U.S.A.
For Lola.
I promised your memory I’d write this book to make sure one good thing came out of 2020.
No doubt you will be murdering tennis balls in dog heaven.
Rest easy, sweetheart.
Welcome to my book. I am the author, Alex. I wrote this book with the goal of making information security fun and engaging to learn and interact with. Whether I succeeded or not is up to you.
This book is for people who are interested in learning about information security, either just out of curiosity or because they want to start a career in the industry. Incidentally, please don’t be put off if you don’t have an in-depth technical background: the book has been written with that possibility in mind. This book puts you in the shoes of a Chief Information Security Officer (CISO) at a company; a fast-moving and in many ways unrealistic pair of shoes, I should add. You’ll endure some of the trials and tribulations that come with the role, including responding to a cyberattack. Whether or not the company emerges from the attack unscathed is largely up to you and the choices you make throughout the book.
Note that though the story presented in this book is largely realistic and representative of how things work in the real world, I have taken some creative liberties to keep things interesting. For example, events that could take weeks or months unfurl much more rapidly because I didn’t think you’d want to read page after page of not much happening. Also, at some points the technical realities of the world are bent slightly to enhance entertainment and simplicity. This book is written to help you become enthused about information security and to raise your aptitude, but it’s not intended to be a masterclass by any means.
There are some opinions scattered around, which, needless to say, are subjective. As for the humour, it’s mostly very dry, with a lot of pot shots at some of the mundaneness of corporate employment that we’ve come to know and love accept.
This book takes you through an interactive adventure. Each section leads you through a scene in the story and directs you to the next section. Do not try to read the book in sequential order! Each section may have multiple exits or pathways depending on the choices you make. Some sections will have a decision point in the middle.
If you’re curious as to what this means, go to Section 153 .
Not all decisions have “right” or “wrong” answers, just as in real life things are often much more nuanced and greyer, rather than black and white. I’d recommend you try reading through the book a few times making the kind of choices you’d be likely to make, but also have a few read-throughs where you go against your instincts completely and see how the story deviates and what lessons you can learn.
Phase one—Prologue: Gives you background on your role and employer.
Phase two—Preparation: A time period where you know how the attackers typically behave and it’s up to you to find evidence of their activity or reasons for why they are interested in targeting you.
Phase three—Attack: The cyberattack well and truly begins.
Phase four—Aftermath: A brief period where you can enjoy your success (if you’ve had any).
How you do in phase one will determine where you enter phase two, and so on as the story unfolds. Not all stories will make it all the way through the phases; it depends how you play and what happens as a result. I should warn you, the book will not always be as straightforward as you may wish or hope—just like in real life, there is a random element and luck can play its part.
Remember that this is an individual story with individual circumstances and nuances. In the same way, each real-life incident is going to be unique and reactions/responses/relevant laws and even office politics are going to differ. What I am saying is, this book is a tool to enhance your learning and hopefully to act as a bit of fun, but it is not meant to become your own incident response plan.
As the book is centred around information security and this realm may not be your background, you may want to read the glossary at the back of the book before starting. If you don’t fancy reading the whole glossary, just remember, the first time a glossary term is used it will be in bold . For really key topics I will sometimes throw in a quick description for you.
You may notice this whole preface is in italics, which probably looks weird, but essentially italics means I am talking directly to you, smashing that fourth wall to smithereens. Most of the book is written in the second person (therefore not in italics)—after all, it’s your story. But immediately following a decision, I will chime in to offer some feedback on the decision you just made. So remember, italics means I am talking directly to you. Good luck!
Get started and go to Section 1 .
To Isabel, who I am hoping by now is my wife, COVID pandemic allowing, for not questioning me spending large amounts of time working furiously in the bedroom with my laptop. To my editor: Why is this autocorrecting to “working”?
A big thank-you to Andy Compton, the man I told I wanted to be a sponge, octopus and shark rolled into one, and still hired me to my first information security role.
A massive thank-you and apology to Sasha Zivojinovic. Whilst I listened to most of your technical feedback, I ignored some of it, as being succinct sometimes trumped the need for 100% accuracy. Let this section make it clear that anything technically wrong with this book is purely my fault, nobody else’s.
More fool you to Andrew Turner, for taking me back into his sales team after an ill-fated attempt at running my own business.
To Susan, Rita and all the hidden people behind the scenes at Apress, let’s hope your gamble paid off.
And obviously a big thank-you to my parents, Sara and Gordon, for raising me in a manner where I was educated enough to be able to write, but tortured enough to feel the need to.
is a part-time security geek and full-time Schnauzer wrangler. During his decade-long adventure in information security, his disclosures have caused countless headaches to project teams in some of the most prestigious organisations in the world. This has included disclosures to Google, McAfee, Redis Labs, Ubuntu and AlienVault products, for which he’s received recognition, reprobation and the occasional T-shirt.
When he’s not helping make the world more secure, he’s busy providing quality assurance on any and every bottle of rum that crosses his path and teaching the various German states how to source and brew a decent cup of tea.
Sasha has donated his portion of proceeds from tech reviewing this book to the Caye Caulker Animal Shelter, on the proviso that this is explicitly mentioned in his bio, while also asking that it not be mentioned that he asked for this. I think we can all agree he is a great man.