From the outside, people either think InfoSec is all hoody wearing basement dwelling men-children popping shellz and catching cyber criminals or they are corporate cyber-police snooping on your web browsing and preventing people doing their jobs.
And whilst there is a little bit of that, there is so so much more and because it’s not exciting or sexy, it gets overlooked, both by people trying to get into the industry and those just trying to interact with us. We cry ‘as an industry we suck at the basics’ but that because as an industry we ourselves are drawn to the shiny not the mundane. I’m as guilty as anyone, I’ll talk about Bug Bounty Programmes because I can make them sound interesting, but I’ve never spoken publicly about asset management because, well, who wants to listen to a talk about that!
Unis too focus their courses on exciting stuff like exploitation via metasploit but not risk management, digital forensics but not basic vulnerability management, cyber law but not compliance standards
We have an tendency to present the public face of InfoSec as pentesting or red teaming with a handful of SOC analysts catching the bad guys. But the truth is, they’re probably in the minority and there are far people ‘doing the basics’ than doing the cool stuff
So, expect a series of posts on here running through some of the basics, but more importantly, if you think you have a good grasp of the basics go teach others!, because you’d be amazed how many people can use metasploit but don’t understand network segmentation, vulnerability management or risk assessment!