INTRODUCTION

Cybersecurity has become paramount in enterprises large and small, as the number of security incidents steadily climbs. Not only has the number of incidents increased, but the consequences of the attacks have also increased—in many cases to levels that can threaten a business. Many corporations now spend significant portions of their budget on security hardware, software, services, and personnel. They are spending this money not because it increases sales or enhances the product they provide, but because of the possible consequences should they not take protective actions.

This money is spent on both technology and people to perform security tasks. The people side of the equation includes the security professionals in an organization, but increasingly more and more of the members of the technology team, from developers to testers to management, need an understanding of the security issues, causes, and solutions associated with their technology offerings. This book serves as an introduction to the theories and practices of cybersecurity as it applies to multiple items—from hardware to software, and from equipment that costs less than $25 to enterprise-level systems.

Why Focus on Security?

Security is not something we want to have to pay for; it would be nice if we didn’t have to worry about protecting our data from disclosure, modification, or destruction by unauthorized individuals, but that is not the environment we find ourselves in today. Instead, we have seen the cost of recovering from security incidents steadily rise along with the number of incidents themselves. Cyberattacks and information disclosures are occurring so often that one almost ignores them on the news. But with the theft of over 145 million consumers’ credit data from Equifax, with the subsequent resignation of the CSO and CEO, and hearings in Congress over the role of legislative oversight with respect to critical records, a new sense of purpose in regard to securing data may be at hand. The multiple $300+ million losses from NotPetya in the summer of 2017 have illustrated the high cost of security failures in business due to security lapses. In 2020, besides a global pandemic that created challenging times for employees and the work-from-home movement, came the SolarWinds incident, a successful attack against thousands of networks. The days of paper reports and corporate “lip service” may be waning, and the time to meet the new challenges of even more sophisticated attackers has arrived. There will never be the last data breach, nor will attackers stop attacking our systems, so our only path forward is to have qualified professionals defending our systems.

A Growing Need for Security Specialists

In order to protect our computer systems and networks, we need a significant number of new security professionals trained in the many aspects of computer and network security. This is not an easy task, as the systems connected to the Internet become increasingly complex, with software whose lines of code number in the millions. Understanding why this is such a difficult problem to solve is not hard if you consider just how many errors might be present in a piece of software that is several million lines long. When you add in the factor of how fast software is being developed—from necessity as the market is constantly changing—then understanding how errors occur is easy.

Not every “bug” in the software will result in a security hole, but it doesn’t take many to have a drastic effect on the Internet community. We can’t just blame the vendors for this situation, because they are reacting to the demands of government and industry. Many vendors are fairly adept at developing patches for flaws found in their software, and patches are constantly being issued to protect systems from bugs that may introduce security problems. This presents a whole new problem for managers and administrators—patch management. How important this has become is easily illustrated by how many of the most recent security events have occurred as a result of a security bug that was discovered months prior to the security incident, and for which a patch had been available, but the community had not correctly installed the patch, thus making the incident possible. The reasons for these failures are many, but in the end the solution is a matter of trained professionals at multiple levels in an organization working together to resolve these problems.

But the issue of having trained people does not stop with security professionals. Every user, from the boardroom to the mailroom, plays a role in the cybersecurity posture of a firm. Training the non-security professionals in the enterprise to use the proper level of care when interacting with systems will not make the problem go away either, but it will substantially strengthen the posture of the enterprise. Understanding the needed training and making it a reality is another task on the security professional’s to-do list.

Because of the need for an increasing number of security professionals who are trained to some minimum level of understanding, certifications such as the CompTIA Security+ have been developed. Prospective employers want to know that the individual they are considering hiring knows what to do in terms of security. The prospective employee, in turn, wants to have a way to demonstrate their level of understanding, which can enhance the candidate’s chances of being hired. The community as a whole simply wants more trained security professionals.

Preparing Yourself for the CompTIA Security+ Exam

Principles of Computer Security, Sixth Edition is designed to help prepare you to take the CompTIA Security+ certification exam. When you pass it, you will have demonstrated you have that basic understanding of security that employers are looking for. Passing this certification exam will not be an easy task—you will need to learn many things to acquire that basic understanding of computer and network security.

How This Book Is Organized

The book is divided into chapters that correspond with the objectives of the exam itself. Some of the chapters are more technical than others—reflecting the nature of the security environment where you will be forced to deal with not only technical details but also other issues such as security policies and procedures as well as training and education. Although many individuals involved in computer and network security have advanced degrees in math, computer science, information systems, or computer or electrical engineering, you do not need this technical background to address security effectively in your organization. You do not need to develop your own cryptographic algorithm, for example; you simply need to be able to understand how cryptography is used, along with its strengths and weaknesses. As you progress in your studies, you will learn that many security problems are caused by the human element. The best technology in the world still ends up being placed in an environment where humans have the opportunity to foul things up—and all too often do.

Onward and Upward

At this point, we hope you are excited about the topic of security, even if you weren’t in the first place. We wish you luck in your endeavors and welcome you to the exciting field of computer and network security.