Once upon a time, cybersecurity teams didn't have to worry about protecting cloud, mobile and IoT technologies, there weren't data breaches every day and phishing emails every moment. Nobody claimed the perimeter was dead—firewalls and airgapping worked just fine—and many security teams only worried about the occasional virus.
Security is different now. However, many things haven't changed at all. Many IT fundamentals haven't changed in over 30 years, and are still important in order to implement a well-rounded, holistic security strategy that considers all potential attack vectors. But many new (and not so new) security people might not know much about the old-world of enterprise IT and security.
We asked some experienced security professionals about which old fundamentals still need to be learned and understood to truly thrive in security today.
"Most security features were added later, on top of the old TCP/IP stack and network applications, and deep knowledge of the protocols themselves can greatly help in predicting the potential pitfalls, and how to secure modern IT environments. So, good understanding of the OSI model [more to come on that] and well-known protocols of the TCP/IP stack is a strong recommendation for anyone dealing with network security."
—Ramil Khantimirov, co-founder and CEO, StormWall
Over the past two years, security researchers have been exposing deep and extensive vulnerabilities in the TCP/IP stack. Scores of vulnerabilities affecting a wide variety of devices have been unveiled under the code names Ripple20, Amnesia:33, Number:Jack, and most recently Name:Wreck.
"How computers talk to each other is at the heart of security. The classic interview question 'What happens when I search for XYZ in the Google search bar?' is extremely important. DNS, protocols, proxying, routing protocols, etc. are all on the table and are all very important to understanding how to defend systems.
—Jimmy Mesta, Head of Security Research at Fastly
"For those who are new to the world of infosec, it's important to be aware of some legacy technologies that may still exist within your organization's technology ecosystem. Mainframes are a popular legacy technology in the enterprise.
"While many organizations have front-ended and networked their machines to create a 'new' mainframe that's fully IP-networked and supported by web-enabled data stores and services, the security that protects these networks and servers from external threats often overlooks the need to protect databases from potential threats from inside the firewall.
"Today, mainframe computers play a central role in the daily operations of most of the world's largest corporations, including many Fortune 1000 companies."
—Ulf Mattsson, Chief Security Strategist, Protegrity
"Historically, the Open Systems Interconnection (OSI) Model has provided a great baseline for understanding the interoperability of cloud services, on-premise assets and endpoint devices through seven main layers: physical, data link, network, transport, session, presentation and application.
"Many practitioners operate within one or two of the OSI layers, but to truly be successful in protecting an organization, it's crucial to understand how functions operate across the full stack. This is where a full-stack observability approach can be especially useful in detecting threats before they ever reach or affect the end-user, which as systems get more complex is only going to get more important."
—Gregg Ostrowski, Regional CTO, AppDynamics
"Many of the fundamental controls like patch management and network segmentation are still prominent in most security frameworks. Understanding layers of the Open Systems Interconnection (OSI) model, and where exploitation can occur at each layer, can be insightful to preventing or detecting attacks, but is rarely taught with an emphasis on the value.
"Even some of the most bleeding-edge enterprise environments still have sections of their networks with legacy technology or end-of-life operating systems that require a different set of controls to secure. Reading industry reports to understand the relevant attack vectors provides good initial direction. From there, if one can't describe how the top five attacks would be carried out, detected, or prevented, additional education can be layered in."
—Randy Watkins, Chief Technology Officer, CRITICALSTART
"When building the fundamental components of a security program, it's crucial for professionals new to information security to first understand the tactics, techniques, and procedures used by adversaries as outlined by the MITRE ATT&CK framework. Doing so will allow them to build and configure security capabilities and controls that enable companies to prevent, detect and respond to threats effectively.
"While Breach and Attack Simulation (BAS) platforms provide the ability to validate security controls across production infrastructure, MITRE ATT&CK enables security teams to speak a common lexicon, to more efficiently communicate details of a relevant threat, exposure of gaps, and misconfiguration found by the BAS platform, and demonstrable proof that those security controls have been optimized as a result of a security team guided by a threat-informed defense and program."
—Stephan Chenette, co-founder & CTO, AttackIQ
"The design of operating systems is another [piece of] essential knowledge. It is vital for a security expert to know how processes interact with each other, users, and data; how role model and permissions prevent unauthorized attempts to access sensible data or do something malicious; and how everything is organized inside Windows and UNIX-like operating systems."
—Ramil Khantimirov, co-founder and CEO, StormWall
"When I was first starting out at a large company, someone asked me 'How will taking the backup server offline affect the RTO and the RPO?' Honestly, I had no idea what RTO and RPO even were—yet these people were looking at me for answers.
"My point here is that it is just as important to understand the terminology used in enterprise IT as the technology—especially as we see large organizations trying to balance risk and security. Your CISO may well be using a very different set of acronyms to you, so make sure you can speak their language.
"It also remains critical to know how to find, search and review technical documents. You cannot expect to know everything, so knowing where to find the answer you want is vital. Most organizations, especially those with ISO27001 or SOC2 certifications, will have some kind of CMS where they store all the process and tech guides/manuals. Know where they are."
—Kevin Breen, Director of Cyber Threat Research, Immersive LabsJoan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online. View Full Bio