Understanding the risks your organization faces
In this section, we will focus our efforts on getting our heads around key concepts in the threats, vulnerabilities, and methods of exploiting information systems. This includes the types of systems we'll be dealing with, the threats that information security professionals are hired to protect those systems against, and the ways those threats exploit vulnerabilities in those systems. Only after we understand these key points can we move on to the protection section (that sounds like a Schoolhouse Rock! song, but do not worry—I'll keep this largely nonmusical).
Something I would like to stress is that when we are designing a new system—whether this is web-based, mobile, embedded, or what have you—there are processes in place that ensure the security of our systems by design, and then there are mitigation controls that provide defense-in-depth in the event of the failure of those processes.